You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While IETF RFC documents often do not extensivly mention general web based security considerations, and only those relating specifically to the document at hand, in this instance it could be beneficial to mention a number of additional security considerations for benefit of this specifications audience.
We should note security considerations:
Data from remote sources should be treated as untrusted
Must use HTTPS - Verify certificates
Use standard JSON deserialisation libraries
Limit searching queries so as to prevent accidental Denial of Service attacks
Follow Cross Site Scripting (XSS) prevention rules as defined by OWASP XSS Prevention Cheat Sheet with a brief overview of rules 0, 1, 2, and 3. This is for the client side
Follow SQL Injection Prevention guide from OWASP. This is for the server and client side
Note that the two OWASP guides fall under "good practice"
rfc8259 The JavaScript Object Notation (JSON) Data Interchange Format - AKA the JSON specification, highlights a security consideration that is applicable
The text was updated successfully, but these errors were encountered:
The security considerations have traditionally gone into the main specification. Also htsget has some standard GA4GH language on the Cross Origin Resource Sharing that may be useful
A new security document has been created by the Security worksteam.
I have filled most of this in: https://drive.google.com/open?id=1IIqzk6wrphqXHNN72BKZA9nvRm0_efPwEbTO8pYTcRc
I was unclear if all of the form was relevant to this specification.
Rish said the document should be submitted as is to open a discussion.
@rishidev Can you let us know when we should expect to hear back on the submission?
As mentioned in the RC5 Retrospective document:
While IETF RFC documents often do not extensivly mention general web based security considerations, and only those relating specifically to the document at hand, in this instance it could be beneficial to mention a number of additional security considerations for benefit of this specifications audience.
We should note security considerations:
The text was updated successfully, but these errors were encountered: