[Chicago] Handling secret stuff: update

Leon Shernoff leon at mushroomthejournal.com
Mon May 16 18:02:26 EDT 2016

Hi, everyone

and thanks for the suggestions!

Thanks, Philip and Joshua. I have been reading OWASP and they are a big 
part of what scared *me* wrt this situation. :-)

Nick, I don't know how Django works. But @ the "code trail", Wordpress 
runs on php, which means that when you have a form on a page that's 
supposed to do stuff, the form says
<form action="complete_pathname/dosomething.php" method="post">
and the dosomething.php file is unencrypted text. If the that file 
contains or just is able to access the secret API key, I have a security 
problem. While a would-be hacker may not (shouldn't!) have permissions 
to get to that php file, they at least know where to look, or perhaps 
they can devise some method of triggering the form's actions and having 
its results directed to them. JavaScript has a similar problem -- any 
action you want a page to take is written down in unencrypted pages that 
are interpreted live. It sounds from what you're saying that Django has 
layers between the pages that it serves and code that it runs that make 
this not a problem.

In any case, this is the motivation behind my provisional idea of 
(something like) Japhy's solution -- I'm not running the host server, 
but at least perhaps I can trigger the more sensitive part of the 
operation by scheduled actions which are independent of anything that 
happens via a browser.

Thanks again. Your ideas help me think. :-)

Best regards,

"Creative work defines itself; therefore, confront the work."
      -- John Cage

Leon Shernoff
1511 E 54th St, Bsmt
Chicago, IL  60615

(312) 320-2190

More information about the Chicago mailing list