Comment on Women’s ‘red flag’ app Tea is a privacy nightmare
GissaMittJobb@lemmy.ml 18 hours agoSSL is not the tool you need in this case, although you should obviously already be running exclusively on encrypted traffic.
The problem here is one of access rights - you should not make files default-available for anyone that can figure out the file name to the particular file in the bucket. At the very least, you need to be using signed URLs with a reasonably short expiration, and default all other access to be blocked.
NeilBru@lemmy.world 16 hours ago
As I mentioned in other comments, I am a noob when it comes to web-sec best practices, so please forgive what may be dumb questions.
Is it really just permission rights “over-exposure” issue? Or does one need to also encrypt and then decrypt the data itself that must be sent to a database?
Also, if you have time, recommend any links to web/cloud/SaaS security best practices “for dummies”?