Comments (6)
Without a rational for each recommendation, the checklist is not very useful (to me at least).
Security is never perfect or absolute, so whether and how to secure something depends on how sensitive the data is and who you are protecting it from. And while some practices are widely accepted, there are disagreements about others. Take for example the discussions on Basic Auth and JWT in the issues on this repo. A rational for why the author(s) of this checklist recommend to use JWT Bearer Auth over Basic Auth would be good. (IMO, neither is perfect, but both can be good enough for some APIs)
from api-security-checklist.
I agree that seeing the rationale would be great, but please don't do this within the checklist, as you probably don't want to read it every time you read the checklist.
from api-security-checklist.
A very good idea . May be we can start to make a seperate files as a reference to every check point.
from api-security-checklist.
How about wiki pages that are linked to from the list?
from api-security-checklist.
I agree that this list does not come across as useful to me. A security checklist asking its users to follow its advice without question paradoxically undermines the security-conscious process and mindset the checklist appears to support.
from api-security-checklist.
Anyone want to try having a go at this, make some PRs, etc?
from api-security-checklist.
Related Issues (20)
- Should add "Content-Disposition" to response header?
- Serbian translations HOT 1
- Should mention CORS
- In "README.md", "į°Ą" should be âįŽâ. HOT 3
- Question about "Don't auto-increment IDs. Use UUID instead." HOT 4
- "algorithm" in the JWT HOT 4
- Please pay attention to this repo again HOT 1
- Why "User own resource ID should be avoided. Use /me/orders instead of /user/654321/orders." ? HOT 4
- JWT token should be stored securely if they are used as auth for browser users.
- ## Query HOT 1
- Api
- OAuth referred to as AuthN HOT 5
- request integrity & replay HOT 1
- Cyber security HOT 1
- HTTP Headers
- Aps security
- Expand on the authentication suggestion
- Why should not use Auto Increment IDs and Use UUIDs instead? HOT 14
- Og
- Security Headers
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
đ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. đđđ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google â¤ī¸ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from api-security-checklist.