From be93de5610c33d99e0572215640ce2625741828a Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 28 Nov 2023 18:58:50 +0000 Subject: [PATCH] Note about deserialization --- README_architecture.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README_architecture.md b/README_architecture.md index 4dcb87bec..04f4cec3b 100644 --- a/README_architecture.md +++ b/README_architecture.md @@ -66,7 +66,7 @@ Where Json linked data signatures are supported there should not be arbitrary sc ### Avoid Web Frameworks -In general avoid using web frameworks and instead use local modules which are prefixed with *webapp_*. Web frameworks are built for conventional software engineering by large companies who are designing for scale. They typically have database dependencies and contain a lot of hardcoded Google stuff or other things which will leak metadata or be incompatible with onion routing. Keeping up with web frameworks is a constant firefight. They also create a massive attack surface requiring constant vigilance. +In general avoid using web frameworks and instead use local modules which are prefixed with *webapp_*. Web frameworks are built for conventional software engineering by large companies who are designing for scale. They typically have database dependencies and contain a lot of hardcoded Google stuff or other things which will leak metadata or be incompatible with onion routing. Keeping up with web frameworks is a constant firefight. They also create a massive attack surface requiring constant vigilance. Another common attack vector is via deserialization functions buried within common web frameworks. ## High Level Architecture