Front-end

--no reason to hide .js files as we are open source
----however, might be useful to add certificates/signing to make sure javascript file that is being run is *our* file, not some other weird version
--need state based security in back end
--need to determine login (oauth, ssl?)
----X-site scripting

Back-end

A closer look inside secure REST:

--state based security
--encryption of database
--logging

Existing problems

--read openmrs security audit

Logging

--does openmrs already have a system in place?
--put in a log file or in database? need to be able to search + audit, but don't want it to slow down our system