Security Notes
==============

Overview
--------

Security in Orlo is on a "best-effort" basis. It has not been audited for security flaws, and its endpoints should 
be protected from hostile attackers.  The authentication/authorisation code has not been pentested, thus you 
should not rely on it to protect security-sensitive information.


Keep instances on private networks
----------------------------------

Orlo is intended to be run on a private, trusted network and should not be exposed publicly.


Keep instances isolated
-----------------------

Do not co-locate Orlo with sensitive information.


Cross-site scripting
--------------------

Orlo presently offers NO protection from cross-site scripting attacks. You should treat any data returned from Orlo as 
potentially hostile in any app that uses its output in a web browser


Third-party libraries
---------------------

Orlo uses third-party libraries for security-sensitive operations where possible.