Security Measures at application level
Current website runs under a secure layer for the logged in users offering encrypted communication between the users and the server. The procedure is based on the TLS protocol providing also secure management of users’ accounts and sensitive information. At the application layer, several steps are necessary in order to create, validate or update a user’s account for security reasons. User must use a valid e-mail address in order to create a new account. Each address can be associated with only one account and there is also a captcha to make sure that the account is created by a human. When a new account is created two emails are sent to the user; the first contains a verification code and the second the password that the user will use for the first login. The user has to login with the provided password and also use the verification code to complete the registration. During the first login, the user will be requested to provide a new password. Moreover, an answer to a question that the user chooses should be provided, for the restoration of a forgotten password if need be. In that case, the email address and the answer to the question are needed in order to send a URL to the user’s email account. Using this URL the user will be able to update the password. Also, it is made sure that the e-mail used to get a new password is one that already belongs to a registered user.
In addition, public users are associated to specific roles with certain permissions so that they can access functionality that they are allowed to. Consequently, administrator tasks and pages cannot be accessed by ordinary registered users. Tailored to the website roles and permissions have been created for that reason.
Finally, the platform of the website is developed following the guidelines of OWASP, which is a foundation that deals continuously with the security of web applications. Therefore, the platform is always secure and free of the latest known security vulnerabilities.