<p>Didn't realize how dead <a href="/r/golang_infosec">r/golang_infosec</a> is, so I'm gonna repost here. I posted another thread about this project, if I'm spamming or missing the point of this subreddit, feel free to berate me.</p>
<p>I'm working on an automated <a href="https://github.com/tywkeene/autobd">backup solution</a> of sorts.</p>
<p>It was brought up that it's not the most secure thing in the world, and right after the mongodb fiasco, I'm wondering how I can make sure I have the most sane and secure defaults possible, so I can avoid any compromises.</p>
<p>As of now I have every node generate a UUID via <a href="https://github.com/satori/go.uuid">this package</a>. Once the node comes up, it identifies the configured server, and registers itself with said UUID. There is currently no mechanism in place to ensure a node is the original node that generated that UUID. What would be the best way to go about ensuring proper identification among nodes?</p>
<p>Other than that, I have https working (last I checked :|).</p>
<p>The only other thing I can think of that is a major security risk the the /nodes endpoint on the server side. It returns a json encoded list of metadata about each node. I use this mainly for debugging, and it disabled by default.</p>
<p>Anyways, tear into me.
Issues/Pull requests/Code review very welcome and appreciated :)</p>
<p>Cheers.</p>
<hr/>**评论:**<br/><br/>beknowly: <pre><blockquote>
<p>There is currently no mechanism in place to ensure a node is the original node that generated that UUID. What would be the best way to go about ensuring proper identification among nodes?</p>
</blockquote>
<p>Public/private keys on both sides.</p></pre>
