Josh Grossman

I completely agree. I think we need to refer to the need for "atomic transaction" where either all steps succeed or all steps fail. @elarlang do you think we need...

So do we think 12.6.1 is more of a network level security control, i.e. make sure the web server is network segmented so that it can only access certain IPs...

So this makes 12.6.1 a network level configuration. Do we think this is still in scope? I think this should be moved to either V14 or V1.14 and I am...

Opened #1343 Note CWE change.

Agree, need to think about this more...

I agree but can we do this from 5.0 onwards? Translators are recognised on the front page of the repo

To be honest, having read [the relevant section of NIST](https://pages.nist.gov/800-63-3/sp800-63b.html#721-reauthentication-from-a-federation-or-assertion) and also read the requirements, I think these are ok. The point the NIST standard makes is that the CSP...

If we focus on JSONP, is there any problem with @Sjord's suggestion above? > Verify that sensitive information is not present in JavaScript or JSONP responses, to prevent cross-origin access...

How about this: > Verify that JSONP functionality is not enabled anywhere across the application and that sensitive information is not present in JavaScript files to avoid Cross-Site Script Inclusion...

ok so like: > Verify that JSONP functionality is not enabled anywhere across the application to avoid Cross-Site Script Inclusion (XSSI) attacks. > Verify that sensitive information is not present...