ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard
verified publisher icon OWASP

Merge 3.1.1 and 13.1.3 into 8.3.1 to resolve #1313

Open tghosth opened this issue 3 years ago • 2 comments

This Pull Request relates to issue #1313

tghosth avatar Aug 11 '22 15:08 tghosth

Verify that sensitive data is only sent to the server in the HTTP message body or headers

Should we consider websockets here? They are fine to send sensitive data, but I would not consider them message body or headers.

and that the URL/query string do

I don't like the slash in "URL/query string" part. I think it makes it a little bit unclear, both in meaning and whether this is singular or plural

not contain sensitive information, such as an API key, session token, etc.

"such as" already indicates that this list is not exhaustive. Is "etc." still needed?

I would write it like so:

Verify that sensitive data is only sent to the server in the HTTP message body or headers and that the URL and query string do not contain sensitive information, such as an API key or session token.

But this is a little bit nitpicking and if this was merged as is I would also be fine with it.

Sjord avatar Aug 13 '22 10:08 Sjord

@tghosth - I approved and you can resolve conflicts now :)

Sjord - please move your remarks to related issue, we can do one more finetuning round if needed.

elarlang avatar Sep 30 '22 15:09 elarlang