Github user filmaj commented on a diff in the pull request:
https://github.com/apache/cordova-docs/pull/703#discussion_r115320846
--- Diff: www/docs/en/dev/guide/appdev/security/index.md ---
@@ -27,69 +27,155 @@ description: Information and tips for building a
secure application.
The following guide includes some security best practices that you should
consider when developing a Cordova application. Please be aware that security
is a very complicated topic and therefore this guide is not exhaustive. If you
believe you can contribute to this guide, please feel free to file an issue in
Cordova's bug tracker under
["Documentation"](https://issues.apache.org/jira/browse/CB/component/12316407).
This guide is designed to be applicable to general Cordova development (all
platforms) but special platform-specific considerations will be noted.
## This guide discusses the following topics:
+
+* General Tips
+* Plugins and Security
+* Content Security Policy
* Whitelist
-* Iframes and the Callback Id Mechanism
* Certificate Pinning
* Self-signed Certificates
+* Wrapping external sites and hot code push
* Encrypted storage
-* General Tips
* Recommended Articles and Other Resources
+## General Tips
+
+### Use InAppBrowser for outside links
+
+Use the InAppBrowser when opening links to any outside website. This is
much safer than whitelisting a domain name and including the content directly
in your application because the InAppBrowser will use the native browser's
security features and will not give the website access to your Cordova
environment. Even if you trust the third party website and include it directly
in your application, that third party website could link to malicious web
content.
+
+### Validate all user input
+
+Always validate any and all input that your application accepts. This
includes usernames, passwords, dates, uploaded media, etc. Because an attacker
could manipulate your HTML and JS assets (either by decompiling your
application or using debugging tools like `chrome://inspect`), this validation
should also be performed on your server, especially before handing the data off
to any backend service.
+
+> **Tip**: Other sources where data should be validated: user documents,
contacts, push notifications
+
+### Do not cache sensitive data
+
+If usernames, password, geolocation information, and other sensitive data
is cached, then it could potentially be retrieved later by an unauthorized user
or application.
--- End diff --
I feel like this statement is a little alarmist without providing concrete
examples. It would also depend on what one means by "caching." Have you seen or
heard of instances of this kind of attack happening in Cordova apps?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
