Security is extremely important to us.
Omny protects itself through a few key design decisions:
- The permission system makes it so a service must explicitly give permission to users other than the site owner so it isn't possible to accidentally leave wide open permissions.
- Cross-site request forgery is blocked by using methods other than just cookies to verify identity.
- Our services are written in Java and the way APIs are structured and loaded makes it very hard to add one by hacking the system. Even if the file system was compromised without restarting the web service no new APIs can be loaded.
- The way requests are routed through the system makes it impossible to hijack arbitrary urls.
- Our service-oriented architecture enables us to isolate services if they are compromised.