Security concerns
Closed this issue · 3 comments
This is not really a bug but more of a concern about what will be handled by the client-side code. I have looked quickly through the code and I've seen some code that gives the impression that the client-side code will be responsible, in some cases, of informing the server of a loss or a win. Giving that kind of power to the client-side code has security flaws, and it wouldn't be hard to exploit them if there's no server-side validation...
Could we have a bit more information about client/server responsibilities and security mechanisms that will be put in place?
Thanks!
Do you mean about the time systems? of course there will be server side validation, but its better that it firts runs from the client. This is because the server will not be gentle to users connection problems, lags, the time cost between a move being clicked, and received and processed by the server, etc. Running from the client eliminates all of these issues. Yes, there might be a precision cost, as trusting them will give extra seconds to users. Server will have a validation that the time cant be toyed aroudn with.
Yes, that's what I meant. I just wanted to make sure this had been covered ;)
Are you planning to use server-sent events and/or websockets for client/server communications?
not planning, its how its made.