diff --git a/.gitignore b/.gitignore index 616f984..9839f0b 100644 --- a/.gitignore +++ b/.gitignore @@ -108,3 +108,4 @@ dist .DS_Store +git \ No newline at end of file diff --git a/general-guidelines/security.md b/general-guidelines/security.md index ed4f66c..8ba3713 100644 --- a/general-guidelines/security.md +++ b/general-guidelines/security.md @@ -10,6 +10,24 @@ Not every user has a right to every web service. This is vital, as you don't wan Server versioning information or any other sensitive information from the HTTP headers SHOULD BE removed/masked according to industry best practices. This prevents any form of targeted attacks since the vulnerabilities are mostly specific to the vendors. +## Use Security HTTP Headers +Modern browsers support many HTTP headers that can improve web application security to protect against clickjacking, cross-site scripting, and other common attacks. +Your API SHOULD use security HTTP headers to improve the level of protection. +See the [list of OWASP Secure Headers](https://owasp.org/www-project-secure-headers/) to form the combination of headers +Ideally you SHOULD inlcude HTTP Security Headers at least in these areas unless there is an incompatibility with some functional requirement: + +- HTTP Strict Transport Security +- Content-Security-Policy +- X-Frame-Options +- X-Content-Type-Options +- X-Permitted-Cross-Domain-Policies +- Referrer-Policy +- Clear-Site-Data +- Cross-Origin-Embedder-Policy +- Cross-Origin-Opener-Policy +- Cross-Origin-Resource-Policy + + ## Session Management RESTful web services SHOULD use session-based authentication, either by establishing a session token via a POST or by using an API key \(Client ID and a Client Secret\) as a POST body argument or as a cookie. Usernames, passwords, session tokens, API keys, and sensitive information MUST NOT appear in the URL, as this can be captured in web server logs, which makes them intrinsically valuable.