Security considerations

[Relequestual]

As mentioned in the RC5 Retrospective document:

While IETF RFC documents often do not extensivly mention general web based security considerations, and only those relating specifically to the document at hand, in this instance it could be beneficial to mention a number of additional security considerations for benefit of this specifications audience.

We should note security considerations:

• Data from remote sources should be treated as untrusted
• Must use HTTPS - Verify certificates
• Use standard JSON deserialisation libraries
• Limit searching queries so as to prevent accidental Denial of Service attacks
• Follow Cross Site Scripting (XSS) prevention rules as defined by OWASP XSS Prevention Cheat Sheet with a brief overview of rules 0, 1, 2, and 3. This is for the client side
• Follow SQL Injection Prevention guide from OWASP. This is for the server and client side
• Note that the two OWASP guides fall under "good practice"
• rfc8259 The JavaScript Object Notation (JSON) Data Interchange Format - AKA the JSON specification, highlights a security consideration that is applicable

[Relequestual]

@kemp-google Did you say you're willing to take this on? If so, I'll re-assign to you! =]

[kemp-google]

Thanks @Relequestual. Did you have a desired location for this content? If not I imagine a "Security Considerations" section in specification.md.

[rishidev]

The security considerations have traditionally gone into the main specification. Also htsget has some standard GA4GH language on the Cross Origin Resource Sharing that may be useful

[Relequestual]

A new security document has been created by the Security worksteam.
I have filled most of this in: https://drive.google.com/open?id=1IIqzk6wrphqXHNN72BKZA9nvRm0_efPwEbTO8pYTcRc
I was unclear if all of the form was relevant to this specification.
Rish said the document should be submitted as is to open a discussion.

@rishidev Can you let us know when we should expect to hear back on the submission?