Data Encryption in ActionHero about actionhero HOT 5 CLOSED

What type of encryption are you looking for? Server-Client or Server-Server? What protocol are you most concerned about?

If you are looking to encrypt Client-Server, the first step is always to encrypt the transport layer (https for web/web sockets and TLS for socket clients). There aren't helpers for TLS steaming yet, but i'll put in an issue to add it.

from actionhero.

Assuming you were asking for TLS sockets, that feature is now available on master and will make it into the next release.

I would like to hear more detail on what you are trying to do so I can help.

evantahler@b363b5a

from actionhero.

Thank you for your quick response,

I would like to encrypt chunk of data transmission.
Server should be avoided from fault-data attacks.

I want to make sure that data transmission will not be modified before reach destination,
and server should ignore any data that not come from its clients.

from actionhero.

I think you are asking for a few separate things here:

* encryption*

• I'm assuming you mean client-server communication
• https and TLS are fully encrypted protocols, and thanks to that last commit, you can enable these and disable their 'plaintext' variants. This will ensure that your messaging for all protocols (socket, web, websocket) is encrypted.
• this should meet your requirements unless you are asking to send encrypted strings as well. If that's the case, I would need to know more about your application, and more importantly, how you plan to send the encryption keys to the client ahead of time (since they can't be encrypted to begin with).

** fault-data attacks **

• I'm not entirely sure what you mean here, but I'm going to guess that you are referring to parameter overloading.
• actionHero will only accept params you define in your actions (all others will be ignores) Check here ('safe param's) for more details https://github.com/evantahler/actionHero/wiki/Web-Clients
• As with any site, you are responsible for sanitizing and validating user's input before using it. connection.params will be available for you in any action to check and modify
• actionHero is meant to be an API framework, and not just for websites. This means that we will not be doing any CSRF / cross site forgery protection by design. If you are using the secure variants of connection protocols that shouldn't be a problem.
• If you want to implement a session-store (based on unique connection IDs which actionHero assigns) here's an example: https://github.com/evantahler/actionHero/wiki/init-session

** server should ignore data that doesn't come from it's clients **

• as a rule, the server needs to be available to listen to any new client that might show up
• using the above methods, you can create authentication systems and enforce that connection.session have an authentication bit for 'protected' actions (this is very common).
• If you need help writing a log int system, let me know

I hope this helped!

from actionhero.

Thank you very much.

from actionhero.