Comments (10)
User Experience Wins
This comment will (NO LONGER BE) be edited frequently.
All Users
- Static page caching (cuts response time to less than 1ms on modest hardware)
- When you delete a blog post or custom page, you can specify a URL to redirect visitors so they don't get the dreaded 404 page
- Separation of username (for access controls) and author profile (for publishing)
Editors
- Multiple text formats
- Rich text (HTML with a WYSIWYG interface)
- Raw HTML
- Markdown
- ReStructuredText
- Recursive blog category structure
- Blog Series
- Can be organized however the editor wants
- Each blog post can be assigned to any number of series
- RSS feeds
- XML Sitemaps (mostly for SEO purposes)
Pseudonymous Publishers
- All outbound HTTP/HTTPS requests can be forcefully proxied over Tor
- Yes, including ReCAPTCHA
Developers
- Ed25519-signed JSON communication
- I'm not kidding. The API for taking advantage of this is quite simple, too.
- Best-in-class cryptographic features powered by Halite.
- Barge: a simple command line interface for creating, building, signing, and releasing Airship Cabins and Gadgets.
Implementors
- Barge (WIP): a simple command line interface for creating, building, signing, and releasing Airship Motifs.
- Uses Twig, which is a more sane templating language than Smarty.
Security Benefits
- Secure password storage
- Automatic updates
- Also available to extension developers
- Much more secure than any other self-updating mechanism
- Read about its benefits here
- Virtual filesystem for user-uploaded files
- Allows access controls based on URL patterns
- Prevents server software (e.g. Apache) from accidentally executing an uploaded file as code
- Manage your Content-Security-Policy headers via web interface
- Opt out of password reset emails, or require them to be encrypted with your PGP public key
- Mandatory CSRF protection on all POST form handlers
- Comprehensive yet simple access controls management
- Hierarchical group-based and user-based access controls
- Multi-site architecture where each site has its own permissions matrix
- Groups can inherit permissions in a hierarchy
- Permission can be granted to groups or users
- The UX for all of the above is simple and intuitive
- Adjustable login throttling (based in IP subnet OR username)
Vulnerabilities You Don't Have to Worry About
- SQL Injections - We never concatenate user-provided string data with query strings
- Session Vulnerabilities - If you use TLS (which you should!) Airship enforces HSTS and secure-only cookies
- Broken Authentication - Well-implemented authentication protocols (You can even opt out of password resets!)
- XSS - We filter on output, not in input, to prevent column truncation to enable stored-XSS attacks
- Insecure Direct Object Reference - Our router is a whitelist
- Sensitive Data Exposure - We use
HiddenString
to hide sensitive data from stack traces - Missing Function Level Access Control - Not in the Cabins we ship with anyway! (See access controls above)
- CSRF - Mandatory token enforcement
- Using Components with Known Vulnerabilities - We self-update! And we do so more securely than everyone else.
- Open Redirection (unless you go out of your way to make it possible)
- PHP Object Injection - We never use
unserialize()
(bonus: no memory corruption issues from that function either) - Insecure RNG - We use the kernel's CSPRNG
- Password Hashing DoS - We use a throttling system called AirBrake and allow fast-failing
A particularly savvy reader will notice we covered 9 out of 10 entries of the 2013 edition of the OWASP Top 10 in this list. The one we couldn't include, Security Misconfiguration, is still something you'll have to worry about when you change settings. It's secure by default, however.
from airship.
How about multiple blocks? Drag and drop layout management? Navigation editors, image galleries, site maps and full site search?
This is coming from a content editor perspective.
from airship.
How about multiple blocks?
Motifs consist of two parts: Static resources (CSS, JS), and Twig templates. You can override the "base template" by changing one line in the motif.json file to completely restructure everything.
Gadgets can override specific templates (e.g. via the Cargo API).
Drag and drop layout management?
That's an idea worth considering.
Navigation editors, image galleries, site maps and full site search?
- Navigation editors: You can change what goes in the navbar, but that's something better-suited for a gadget than core functionality.
- Image galleries: That's a good idea.
- Site maps: Intended to be baked in.
- Full site search: Not implementing in version 1, because I need to do more research on search engine development and then design it to not be a denial of service vector.
Thanks for the suggestions! 👍
from airship.
How about 2 factor auth?
from airship.
How to implement it?
- Google Authenticator - hostile towards Tor users
- SMS - requires a phone number and Twilio account
- Yubikey - requires additional hardware
from airship.
GPG encrypted email?
from airship.
Already implemented. :)
from airship.
as a 2fa mechanism?
from airship.
I'll make a ticket for implementing 2FA, but I'm not sure if it will land before v1.0.0 due to the anticipated research burden and short time table.
from airship.
Okay, this list is good. I'll get around to writing this before v1
from airship.
Related Issues (20)
- PHP Warning: symlink(): File exists in /src/Installer/Commands.php on line 41 HOT 1
- Version 2.0.0 is postponed until PHP 7.2
- Version 2: Better Naming Conventions HOT 1
- Automated Vulnerability Scanning
- Deep Static Analysis and Unit Testing HOT 11
- Consistent Use of Regular Expressions
- Prevent super long email addresses
- For admins, the authors List should show yours first HOT 1
- Can't Install on CentOS 7? HOT 3
- Intent to Abandon Version 1 HOT 2
- Airship 2 doesn't see sodium from PHP 7.2 HOT 2
- "Outdated Version of Libsodium" notice from public/launch.php on PHP 7.2 HOT 4
- "Undefined index: email" when trying to launch airship HOT 3
- Keyggdrasil failed, Automatic update - signature failure, Call to undefined function textdomain() HOT 10
- Insecure links and loading HOT 9
- Tear Down Keyggdrasil, use a Chronicle Instead
- Non-Blocking I/O Servers Support ( Swoole, ReactPHP, Amp ... etc ) HOT 4
- Background on Codebase
- CSRF Array to String Error
- blank screen after creating account HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from airship.