API-Security-Checklist icon indicating copy to clipboard operation
API-Security-Checklist copied to clipboard

Published 20 hours ago verified publisher icon shieldfy

Rationales

Open erlkonig opened this issue 8 years ago • 6 comments

Each thing in the list deserves a file on the rationale behind it, even if those are largely URLs.

erlkonig avatar Jul 09 '17 05:07 erlkonig

I agree that seeing the rationale would be great, but please don't do this within the checklist, as you probably don't want to read it every time you read the checklist.

alexchamberlain avatar Jul 09 '17 06:07 alexchamberlain

A very good idea . May be we can start to make a seperate files as a reference to every check point.

netcode avatar Jul 09 '17 09:07 netcode

How about wiki pages that are linked to from the list?

StillLearnin avatar Mar 25 '18 20:03 StillLearnin

Without a rational for each recommendation, the checklist is not very useful (to me at least).

Security is never perfect or absolute, so whether and how to secure something depends on how sensitive the data is and who you are protecting it from. And while some practices are widely accepted, there are disagreements about others. Take for example the discussions on Basic Auth and JWT in the issues on this repo. A rational for why the author(s) of this checklist recommend to use JWT Bearer Auth over Basic Auth would be good. (IMO, neither is perfect, but both can be good enough for some APIs)

darioseidl avatar Oct 01 '21 19:10 darioseidl

I agree that this list does not come across as useful to me. A security checklist asking its users to follow its advice without question paradoxically undermines the security-conscious process and mindset the checklist appears to support.

montchr avatar Jun 14 '22 19:06 montchr

Anyone want to try having a go at this, make some PRs, etc?

Maikuolan avatar Jul 24 '22 07:07 Maikuolan