Sjoerd Langkemper
Sjoerd Langkemper
I would leave it as it currently is, and don't agree with @suvikaartinen's proposal. I attempted to explain why in [this comment](https://github.com/OWASP/ASVS/issues/1218#issuecomment-1214160684). Most importantly, I don't see it as a...
> Verify that sensitive data is only sent to the server in the HTTP message body or headers Should we consider websockets here? They are fine to send sensitive data,...
> 3.6.1 Verify that Relying Parties (RPs) specify the maximum authentication time to Credential Service Providers (CSPs) and that CSPs re-authenticate the user if they haven't used a session within...
I would prefer a requirement that says something like "session validity should be synchronized between servers", without getting into how this is implemented.
I would suggest something like this: > Verify that sensitive information is not present in JavaScript or JSONP responses, to prevent cross-origin access to that information.
Where should this go? Perhaps somewhere in V8?
> Cross-Origin Confidentiality Another issue that falls under this category is cross-site search. The attacker performs searches using CSRF requests, and times the responses to determine whether a result is...
Yes, that makes more sense. I encounter this in applications most often that the cookie is cleared at the client, but not invalidated on the server. The back button won't...
See [2.3.3 (ASVS March 2019) Is unclear · Issue #628 · OWASP/ASVS](https://github.com/OWASP/ASVS/issues/628)
> we need to have one application per host/origin This should be "host", not origin. Specifically, it should not be allowed to run different applications on different ports. Applications running...