Interesting, even though I don't use Funkwhale yet. Especially the first point seems to apply more generally to fediverse servers. I think with current settings I'm ok, but I'll check some more. These are the questions for servers like mine, I think:
- Does your server proxy remote media to be included in a visible post and does it check the media is indeed remote and is actual media. It's my belief that on my servers the answers are 'no, n/a' and 'yes, yes'.
- Does your server show link previews in a visible post and does it sanitise the included information? Here it is for me 'yes, yes' I think.
Hey everyone! o/A few months ago, we had a security audit of Funkwhale performed as part of our funding agreement. Due to the recent changes to our structure we've not had time to talk about it, so let's do that now!
https://blog.funkwhale.audio/security-quick-scan.html
Funkwhale Blog ~ Funkwhale security quick scan report
In the name of transparency, let's talk about our security audit!blog.funkwhale.audio