A web application to handle and process an organization's candidates data
RecruitOn is a humble web application which aims to ease the process of handling, filtering and organizing potential candidates personal data. Target here is actually any organization or company that deals with recruiting processes (normally HHRR team). It works resorting on a simple UI which allows the user to upload an excel file. The logic behind the application process this data and shows it back to the client in a user-friendly way.
The application offers some interesting functions. Among them, we have:
-
Filtering through different parameters: qualification, salary and location
-
Ubicate the candidate in a map
Most important, remarkable feature regarding UX is a custom handling of browser navigation history
From its very early birth stage, RecruitOn was thought to be build and constructed in the most secure possible way, giving thus to this factor a top priority. For this to be achieved, a different approach from traditional user-password login mechanism was desired. The main goal was authenticating requestes made by RecruitOn, accepting only them and rejecting any other one coming from a different source.
The core of the security RecruitOn engine has been finally set up throuhg Chrome Web Request API. In a simplified explanation, this API works by installing an extension on chrome, which intercepts any requests coming from the application. Next, it encrypts a given payload that is sent to the server in hexadecimal format, which will be responsible for decrypting this data and validating it.
A second security layer has been configured through short-live cookies. These are triggered on onbeforeunload JavaScript native event, allowing the client to create them only when the next request is about to be launched. This shortens up the time the cookie is present in the browser. In addition, the lifetime of the cookie is just 2 seconds. Then, the browser purges it. To assure a background layer against potential CSRF attacks, samesite attribute is also set along the rest of the cookie properties. Cookie values are base64 encoded.
Finally, all the traffic is encrypted even in development phase. This has been done with self-certified https credentials provided by Let's Encrypt.
npm install
npm run start:dev
Server will throw an error if excel file doesn't comply certain rules. Please, find a model template inside files folder to guide yourself.
-
1.0
-
Master
-
Only running on Chrome
-
Encryption takes place on chrome extension code. I encourage potential users of the app to hide/obfuscate the code to prevent security issues
-
Design has not been a priority. Serious CSS improvements can be introduced
All rights reserved to MKNA security software development.