Recently I've been playing around more with security considerations on Atheos. My biggest concert was Codiad utilizing Get requests for 95% of all server-client interactions with zero injection checks.
I believe the only things that were posted might have been the login screen and the actual file content. I spent most of the back end development moving everything to uniformly use post requests.
Security has always been my primary concern when trying to design and implement my ideas for Atheos, but I am not a security expert; I'm not formally trained in coding security. In fact, I'm not really formally trained or taught in programming very much at all. I took a few classes when I was younger, but everything I know now is a direct result of curiosity and a strong passion for best practices and security.
As much as it seems to be a cop out, when a user installs Atheos, they really must take it upon themselves to understand and undertake the security risks that granting web access to your server files.
I was recently contacted about a verified vulnerability in Codiad that could also exist within Atheos, and it really caused a great deal of concern for me, not only as a developer of Atheos but as a User.
The basic idea was that a user could rename a file as a non-admin to an html img tag with a source that pings Codiad's marketplace component to install a malicious file. An Admin user could then open that directory, which would render that img tag as actual HTML and in a sense, run that install command with elevated privileges.
Luckily, Atheos had long been redesigned to only use Post requests instead of Get requests, so problem solved.
It has stayed in my head though. Atheos is a really powerful tool that is getting more powerful by the day, and I'm hoping my users are cognizant of that.