Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The endpoints don't do much, the app delegates most of its functionality to very well-known Python libraries, there's minimal backend, no account system... it's a pretty auditable piece of code. If you can't get a handle on the security of this thing, there's no web app you can get a handle on.


There is account system too - journalists got passwords, sources got "code names"

Not huge, but much more complicated than it could be. For instance, it redefined CSRF protection in a weird way https://github.com/lepture/flask-wtf/blob/master/flask_wtf/c...


Securedrop is used by NYT-level companies. I thought using it is a no-brainer for any news media. Now I am having doubts :((


Over complicated doesn't mean insecure, but the less code the better


OT: homakov and tptacek in the same thread <3




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: