Security Notes¶
Overview¶
Security in Orlo is on a “best-effort” basis. It has not been audited for security flaws, and its endpoints should be protected from hostile attackers. The authentication/authorisation code has not been pentested, thus you should not rely on it to protect security-sensitive information.
Keep instances on private networks¶
Orlo is intended to be run on a private, trusted network and should not be exposed publicly.
Keep instances isolated¶
Do not co-locate Orlo with sensitive information.
Cross-site scripting¶
Orlo presently offers NO protection from cross-site scripting attacks. You should treat any data returned from Orlo as potentially hostile in any app that uses its output in a web browser
Third-party libraries¶
Orlo uses third-party libraries for security-sensitive operations where possible.