In this meeting, the main focus was on securing an endpoint in Zano for collecting a lead form. The client requested that the endpoint be secured with CORS (Cross-Origin Resource Sharing) or single-site origin. The team discussed different approaches to achieving this security.
The first option mentioned was to use CORS headers to limit access to the endpoint based on the domain. This can be done by adding a custom header that bounces requests from unauthorized domains. Another option mentioned was to use a referral system where an additional key is required to submit to the endpoint. This key would need to be known by the client's website. The team also discussed adding a CORS header to the response using a utility function called HTTP header. This can be done by creating a custom middleware in Zano. The team agreed that CORS would be sufficient for securing a lead form, as the effort required to bypass it would unlikely be worth it for attackers. In terms of single-site origin, the team discussed the need for a key or token system to ensure secure access. This would require a separate process on the client's side to generate and manage the keys or tokens. Finally, the team emphasized the importance of not being the easiest target for hackers. They discussed the "bear test" analogy, where the goal is to make it harder for attackers without needing to be invulnerable. Overall, the meeting provided an overview of the different approaches and considerations for securing the endpoint in Zano.
(Source: State Change Office Hours 4/20 )
