Protecting the TruckersMP website from attacks and security threats

[Positivetrucking168]

Hello,

This is a topic that is going to be aimed towards the web developers of TruckersMP, and this is going to cover the mechanisms that TruckersMP uses to keep the website safe and secure from cross-site scripting (XSS) attacks where malicious code is injected into the website, as well as the technical mechanisms of trying to keep the website running in the event of a denial-of-service attack. 

I am also going to ask about if there were any recently-known vulnerabilities and security threats that might affect the operations of the TruckersMP forum (however that could be better suited on the IPB forums) or the main website, and also the success of the secure authentication process (HTTPS) of the websites. 

[HumaneWolf]

Pretty simple answers:

 

How to prevent XSS: You escape any input before showing it.

 

In the event of a DDOS: We have cloudflare protection. Should someone direct a ddos at our servers directly we either have multiple servers or can replace them, generally.

 

When it comes to the HTTPS rollout, because we have a bunch of "moving parts" in our system (the game servers, game client, website, forum, load balancing, other systems) it got more complicated than rolling it out on some random website, however, it was successful by testing it beforehand. This is a question better suited for @Tuxy Fluffyclaws though, since he did a bunch of the work, and I hadn't joined the webdev team yet at that time.

 

Would also like to point out that this is a general development discussion forum category, not specifically a place to ask us questions, and it doesn't have to be specifically related to TruckersMP.

[HumaneWolf]

Adding a relevant link here: 

https://www.hacksplaining.com/

 

It has a bunch of basic, but good info on various kinds of normal exploits.

[Positivetrucking168]

^ Thanks @HumaneWolf for the responses, have something to learn from your opinions. Yeah, attacking websites by any means is by the way, a very serious offence and could result in criminal charges, as well as some inconvenience to the devs. It can also result in a permanent ban, both on the forums and in-game. 

I defend my decision to post this topic in the dev portal rather than general discussion because of the technical nature of the thread (as the topic is related to the technicalities that the TruckersMP website might have rather than the basic parts of the webpage) and due to the heavy amount of jargon used (related to IT), I felt that the topic might be more suited in this section of the forum because others who might have no clue about the technicalities of the website (possibly not just this) might be able to refer to what you have given above, rather than the user having to look in the archive/trash for the solution.