|
|
|
|
|
|
by MoonGhost
371 days ago
|
|
|
> The solution is always the same: use fine grained permissions, apply the principle of least privilege, And one of the most important: keep it sandboxed as much as possible. Also if the tool is directly accessible by 3d party and in turn has access to sensitive data it may be a good idea to split it. For example: 3d party in order to access some database requests login and password. Instead the tool should return some temporary token. After verification, of course. Which is much harder to misuse. Then token, though the tool, is used to access. In this case we split tool in two: one is user's frontend, and another hold all security things including logins and passwords. |
|
|