No internet connection
  1. Home
  2. Support

Which security features are provided by Talkyard?

By @gauravsen2021-06-18 11:32:51.702Z


I hope every one doing well.

I just want to know that which types of securities are used in Talkyard at both frontend and backend level.

Thanks in advance.

Thanks and Regards
Gaurav Sen

  • 4 replies
  1. KajMagnus @KajMagnus2021-06-21 09:16:19.972Z

    Hmm that sounds like a broad question, maybe I'd start writing a lot about "the wrong" thing.

    I wonder what more specifically you have in mind?

    For example, maybe one or some of the following:

    Users, groups, access control and permissions?
    OWASP top ten, e.g. XSS and XSRF?
    Authentication methods, e.g. OAuth2 or OIDC or 2FA?
    Or maybe you wonder if there's any built in intrusion detection system?
    Software updates?
    Supply chain attacks?
    Password storage?
    DDoS and/or rate limits?
    And/or something else?

    Maybe it'd be good with documentation about all the above things (what do you think?).
    Still I wonder, what type of information, were you looking for initially before I wrote this

    1. Rriley @riley22021-07-30 20:54:09.219Z

      hi -- I came here with the same question. Perhaps to rephrase: Can Talkyard be used reliably by a corporation or NGO? I'm not talking about HIPAA-level data, but a good baseline for forum software is that security is a major concern and I can expect our conversations to stay private. I guess I am asking, how much effort have Talkyard dev team put into security, and how much effort ongoing? thanks!

      1. KajMagnus @KajMagnus2021-08-02 05:20:49.929Z2021-08-02 05:29:22.860Z

        Personally (I'm biased though) I think it is in most cases OK to use Talkyard in a corporation or NGO.

        But as of now (Aug 2021) I would not use Talkyard for discussing, say, important private Fortune 500 or Inc5000 company things, or health care information (unless maybe in an air-gapped system).

        And if you're an NGO in a dangerous authoritarian country, I also wouldn't use Talkyard currently.

        how much effort have Talkyard dev team put into security, and how much effort ongoing?

        I'd think it's a reasonable amount of effort this far — there're automatic tests that verify that private discussions stay private for example. Talkyard is written in Typescript, React and Scala which are all comparatively safe things (harder to write bugs).

        At the same time, session handling could be better — there're upcoming security improvements related to that. There'll be more and more focus on security in the future, and there'll be a bug bounty program.

        (What's the threat model against your organization, if I may ask? If you want to, you could reply via a private message.)

    2. In reply togauravsen:
      KajMagnus @KajMagnus2021-08-02 05:26:08.681Z

      Hi again Gaurav (and @riley2 ), now I think I better know what kind of reply you were looking for,

      something like this?: "[Mattermost] Security Overview",
      and the Security Features section a little bit down