Security Issues

Sensitive Information

• Profile information
• Passwords
• Communications between individuals
• Grades via the grade calculator
• Open availability of individuals

Protection Plan:

• Environment Variables: Store sensitive data like database credentials and API keys in environment variables, ensuring they’re not accessible in your version control.
• Encryption: Hash passwords (e.g., bcrypt) to prevent them from being stored in plaintext.

Attack Vectors

• Unauthorized Access: Ensure users only have access to the groups and data they are permitted to see.
• Cross-Site Scripting (XSS): User inputs, such as profile descriptions or messages, could be avenues for injecting malicious code.
• Database Security (NoSQL Injection): Avoid NoSQL injection by validating user inputs when querying the database.
• Server Security: Protect against unauthorized server access.

Protection Plans:

Unauthorized Access Plan:

• Ensure that each user logs in with a valid '.email.sc.edu' email
• Implement role-based access control (RBAC) to assign user permissions, ensuring only authorized users can create, modify, or delete study groups.
• Check user authentication and permissions on each request, especially before allowing access to sensitive endpoints.

XSS Plan:

• Sanitize all input fields that users can edit or view.
• Implement Content Security Policies (CSP) to limit where scripts and other resources can be loaded.

Database Plan:

• Use parameterized queries or an ORM that protects against injection vulnerabilities.

Server Plan:

• Regularly update dependencies.
• Configure firewalls to limit database access to the server IP and secure your Node.js server setup with rate-limiting and strong password policies for admin access.