1 files changed, 20 insertions, 0 deletions
diff --git a/readme.md b/readme.md
index 6fab8d8..1508142 100644
--- a/readme.md
+++ b/readme.md
@@ -182,6 +182,26 @@ thread-local global variables.
 * SQL injections are prevented by using proper query parameters substitution,
  automatically handled by the embrace and psycopg libraries.
+* Passwords are salted and hashed when stored in the database to ensure some
+  minimal protection of the [data at rest]. The hashing is handled by the
+  [passlib] library, which also covers algorithm migrations.
+* Cross-Site Request Forgery ([CSRF]) attacks are mitigated through the
+  conjunctive use of POST requests for user actions and [SameSite] restrictions
+  for session cookies. (_note: this will become a sufficient protection only
+  when support in browsers will become ubiquitous_).
+* In its current state, the application does not implement any kind of rate
+  limiting. Such restriction would be needed for real world applications in
+  order to mitigate account password brute-force attacks, but also to prevent
+  users from avoiding transfer fees by sending many small unbilled
+  transactions.
+[data at rest]: https://en.wikipedia.org/wiki/Data_at_rest
+[passlib]: https://passlib.readthedocs.io/en/stable/
+[CSRF]: https://owasp.org/www-community/attacks/csrf
+[SameSite]: https://owasp.org/www-community/SameSite
 ## Development environment

diff --git a/readme.md b/readme.md index 6fab8d8..1508142 100644 --- a/readme.md +++ b/readme.md
@@ -182,6 +182,26 @@ thread-local global variables.
182	* SQL injections are prevented by using proper query parameters substitution,	182	* SQL injections are prevented by using proper query parameters substitution,
183	automatically handled by the embrace and psycopg libraries.	183	automatically handled by the embrace and psycopg libraries.
184		184
		185	* Passwords are salted and hashed when stored in the database to ensure some
		186	minimal protection of the [data at rest]. The hashing is handled by the
		187	[passlib] library, which also covers algorithm migrations.
		188
		189	* Cross-Site Request Forgery ([CSRF]) attacks are mitigated through the
		190	conjunctive use of POST requests for user actions and [SameSite] restrictions
		191	for session cookies. (_note: this will become a sufficient protection only
		192	when support in browsers will become ubiquitous_).
		193
		194	* In its current state, the application does not implement any kind of rate
		195	limiting. Such restriction would be needed for real world applications in
		196	order to mitigate account password brute-force attacks, but also to prevent
		197	users from avoiding transfer fees by sending many small unbilled
		198	transactions.
		199
		200	[data at rest]: https://en.wikipedia.org/wiki/Data_at_rest
		201	[passlib]: https://passlib.readthedocs.io/en/stable/
		202	[CSRF]: https://owasp.org/www-community/attacks/csrf
		203	[SameSite]: https://owasp.org/www-community/SameSite
		204
185		205
186	## Development environment	206	## Development environment
187		207