The following product release is planned for November 27th, 2024
We have been working with improving the back-office. Specifically, we’ve worked on improving the speed within multiple areas in the back-office.
Recently we have had some hacking attempts on our platform.
Quick overview of the hacking attempts: hacker mainly tries to exploit publicly available endpoints by querying them with a moderate number of requests. Typically, from a couple of minutes to an hour.
We have created an action plan to mitigate these attempts:
Change the request signature algorithm
Explore the possibility to obfuscate the request signature algorithm
Review hacking attempts logs to assess the impact
Implement a rate limiter (per IP per endpoint per API key) to prevent brute force attacks
Implement a WAF (Web Application Firewall) to filter out malicious requests – ModSecurity for nginx is a good choice
Revise a Content Security Policy (CSP) to prevent XSS attacks
Revise a public endpoints code to prevent SQL injection
Make the input validation for elastic search queries more strict to prevent garbage input
Add ModSecurity metrics to the monitoring system and setup alerts
Explore the possibility to implement a honeypot to distract hackers
Discuss the possibility to block / grey-list IPs that show suspicious activity
When adding a phone number, the input field currently does not have a default country code set. To streamline the process and reduce manual entry, the system should automatically set the default country code to +47. This will save users time and reduce the potential for errors.
Upon request, you should as a course admin be able to assign tags for courses based on which sub-division the course is relevant for.
This is so that a third-party application can use these tags in their API to connect the right sub-division to their respective calendars.
We do not intend to use this way tagging courses to place certain courses into course categories, but rather to showcase for which sub-divisions these courses are relevant for.
A stand alone application which can create Users/Members in the AO system via a CSV file.