calvin.md

Calvin:

• Functionality of Web Application
  • User Profile
  • Edit Profile Details (Display Name, Bio, Location, Website)
  • Edit Profile Picture & Banner Picture
  • Post Uploading
  • Liking, Commenting and Sharing of Posts & Comments
  • Deletion of Posts & Comments
  • Account Settings (Username, Email)
  • Set / Change Password
  • Display of posts on home page & profile page
• Data Security
  • E2E integrity checks
  • XSS mitigations
  • Security Header Middlewares
  • File Analysis
  • URL Analysis
  • Storing of Analysis Results
  • URL Redirect Confirmation
  • Post & Comment Pagination
  • Extra Verification to view settings
  • Blocking of Search Engine Crawlers
  • MongoDB Backup (Configuration)
• Research

Functionality Of Web Application

• User Profile

Gyazo Link: https://gyazo.com/62dca0253271654bb1b99cb933e7c89f

• Edit Profile Details (Display Name, Bio, Location, Website)

Gyazo Link: https://gyazo.com/21c399dabbb9f411567d2ff91f4c70f6

• Edit Profile Picture & Banner Picture

Gyazo Links: https://gyazo.com/0a959af59a675de254c31166617a4367 , https://gyazo.com/42793d4f60e3aaf3940c53f90a4a8bed

• Post Uploading

Gyazo Link: https://gyazo.com/d824284c7bb18169ca64a20bda271a49

• Liking, Commenting and Sharing of Posts & Comments

Gyazo Links: https://gyazo.com/3a063774bd1905ad946102e603b9aca1 , https://gyazo.com/4e29633991f22a2ef65d2ff26ef50b35

• Deletion of Posts & Comments

Gyazo Links: https://gyazo.com/f18d4b42177d3a0df5389a9d0f7fbea0 , https://gyazo.com/5fdba4a18fa9e736d4120bdf755ac857

• Account Settings (Username, Email)

Gyazo Link: https://gyazo.com/c892e0e9d89051d1ae5174578249e1b5

• Set / Change Password

Gyazo Links: https://gyazo.com/ff9783c11db07db5babf988673d9c9be , https://gyazo.com/13eea76511763579ef9142f9fb1bfdfa

• Display of posts on home page & profile page

Gyazo Link: https://gyazo.com/6326a6fa22a96d6197f84f1939cad924

Implemented:

Data Security:

• E2E integrity checks
  • Implemented to ensure the integrity of content uploaded to the website
  • Uses built-in md5 function in Javascript and CRC32C from SheetJS to calculate hashes client side
  • Uses hashlib module to calculate hashes server side
  • Compared on server side

Gyazo Link: https://gyazo.com/59ba4f665f590a780cc74183d2421bff

• XSS mitigations
  • Implemented CSP to prevent execution of unwanted scripts and/or Javascript libraries
  • Implemented Content Security Policy Middleware
  • Configured Content Security Policy and the Nonces of embedded scripts

Gyazo Link: https://gyazo.com/3f69f80ec64bb2dad1e278a840f1f784

• Security Header Middlewares
  • HSTS Middleware
    • Ensures the usage of HSTS
  • XSSProtection Middleware
    • Does not load the page if an XSS Attack is detected
  • FrameOption Middleware
    • Specifies if the browser can render in another page as an embed
  • Referrer Policy Middleware
    • Controls How much Referrer Information is included in a request
  • ExpectCT Middleware
    • Enforcement of Certificate Transparency requirements which prevent the uses of misissued certificate
  • Content Type Middleware
    • Prevents Mime sniffing attacks

Gyazo Links: https://gyazo.com/ab9fca9a269050e266663064028c6b66 , https://gyazo.com/f8bd3228048831bcd930f1dcab0bd7d9

• File Analysis
  • Implemented Files to be scanned by VirusTotal API before being uploaded
  • Upon posting, the file runs through the api and will return the results as shown below. We then check the results and decide whether to allow the file to be uploaded or not

Gyazo Link: https://gyazo.com/b29e471c652ef9218c11d475e5fcc5d3

• URL Analysis
  • Implemented URLs to be scanned by Google WebRisk API & VirusTotal API before being uploaded
  • Redirect Confirmation also runs the URL Analysis

Gyazo Links: https://gyazo.com/2cc0c8eddf7c15a69d430c712a5a8c0d , https://gyazo.com/50fe935017bf45f0abe5edd979c49e0a

• Storing of Analysis Results
  • Implemented MongoDB to store the results of the analysis so as to reduce API usage
  • Reduce the risk of attacks on the availability as scans may take a long time and can overload our servers

Gyazo Link: https://gyazo.com/3264b8f6f61bbc193d048414f8c4847b

• Post & Comment Pagination
  • Implemented Pagination to reduce the load on the server
  • Fetches a certain number of posts/comments at a time, upon scrolling to a certain height more posts/comments are fetched

Gyazo Link: https://gyazo.com/6326a6fa22a96d6197f84f1939cad924

• Extra Verification to view settings
  • A layer of authentication before accessing and editting critical settings

Gyazo Link: https://gyazo.com/90a9c46b4b51ea71264f3ef2b72e40a6

• Blocking of Search Engine Crawlers
  • Implemented to prevent private pages from being indexed to search engines

Gyazo Link: https://gyazo.com/38552becbbbee367268e1a69b17215a5

• MongoDB Backup (Configuration)
  • Configured MongoDB to automatically backup to a remote server

Gyazo Link: https://gyazo.com/3d78b3f38833edec08d581903785812d

Research:

• Virus Scanning APIs and how to implement

  • VirusTotal API
  • WebRisk API

• Javascript Hashing Algorithms

  • CRC32C (SheetJS)

• Javascript Libraries

  • Filepond