|
|
|
|
|
|
by anglebracket
4510 days ago
|
|
|
True, but just because you trust someone to access the dashboard doesn't mean you trust them to execute code on your server. There are other things to consider as well, like MITM attacks, and that an XSS hole would let the attacker set their own cookies. The data in the cookies is just JSON, right? If json.loads() would work here you should switch to that instead. |
|
|
I would hope that people won't give access to everyone to the dashboard, wasn't really build for that, or at least that wasn't my initial idea.