From a33970fb1d2e3d80026bf954ab11eada56cbc83e Mon Sep 17 00:00:00 2001 From: Florian Vranckx Date: Thu, 15 Sep 2022 16:41:14 +0200 Subject: [PATCH] [ADD] Security pitfall: http request --- content/developer/reference/backend/security.rst | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/content/developer/reference/backend/security.rst b/content/developer/reference/backend/security.rst index 39b10b612..9515e03cb 100644 --- a/content/developer/reference/backend/security.rst +++ b/content/developer/reference/backend/security.rst @@ -481,3 +481,17 @@ field value can be easily achieved safely: The above method is obviously still too optimistic and additional verifications on the record id and field value must be done. + + +Http Request +--------------------------- + +Some may need to make an HTTP request directly from python, it is require to follow some best practices + +**Injectable domain** + +Care must be taken while manipulating the domain name of the request, the domain should never depend on user input. +If the domain can be changed by the user, a malicious user could use the server running the code to send multiple requests to a chosen target. +This is known as a reflective-DDOS attack, where one can overload a target without sending the packet himself. + +**URL path/query Injectable** \ No newline at end of file