I want to start using LTI external tools in my moodle.
I'm not referring to my moodle as being a LTI provider, rather the opposite - using LTI tools like "VitalSource", "Codeboard" etc. as embedded content in my moodle. (LTI consumer)
Is there anything my IT security team should know about LTI in moodle?
Are there any recommended security practices or measures that should be taken before using LTI tools? whether it's something that the Moodle's admin should configure or the server system administrator should?
I'm mostly concerned about security issues like XSS or anything else that might abuse or manipulate our Moodle's system or even Moodle's database.
I'm also concerned about privacy issues as I see that there is an option to send a little bit of user data to the LTI tool and I want to make sure that nothing but what was configured by Moodle's admin is sent out.
We not only value the privacy of our users but also the content in our Moodle - we don't want our content to be somehow visible to anyone that is not a registered user in our Moodle.
but mostly I'm considered about the security aspect of this.
I have moodle 3.5.1 installed, btw.