API-Security-Checklist
API-Security-Checklist copied to clipboard
shieldfy
Checklist of the most important security countermeasures when designing, testing, and releasing your API
I think should add API Signature to prevent manually/automatically testing And check id (uid, cid, tid... for example) on params/query string is owned by user request
Hi, thx for ur exciting work! This checklist helped me very much. But I noticed that this repo has had 9 issues & 9 pull requests([including mine](https://github.com/shieldfy/API-Security-Checklist/pulls)) now, which still...
Each thing in the list deserves a file on the rationale behind it, even if those are largely URLs.
It looks like most of the advice from the OWASP REST Cheat Sheet is discussed in this API-Security-Checklist, but OWASP talks about the importance of CORS, which is not mentioned...
If an application are using JWT in browsers it should be stored securely in a cookie which requires: - Require SSL on the comunication - Enable HttpOnly - Send The...
Is that possible can someone explain why the "User own resource ID should be avoided. Use /me/orders instead of /user/654321/orders." is a security concern? I agree that user can know...
You should mention range, type and length checks. Peculiarities of JSON/XML parsing should also be mentioned as parser very often work outside of the "safe" realm on most script interpreters,...
http://blog.portswigger.net/2016/11/json-hijacking-for-modern-web.html Also contains other helpful hints too
> don't use JWT. JWT terrifies me, and it terrifies all the crypto engineers I know. As a security standard, it is a series of own-goals foreseeable even 10 years...
