From 3a237075e904f28f2ad586fbe5b882d5696dec1e Mon Sep 17 00:00:00 2001 From: manutd Date: Thu, 14 Jul 2022 10:55:42 +0700 Subject: [PATCH 1/2] add api signature on Input --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 4e64726..ef3afdd 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,7 @@ Checklist of the most important security countermeasures when designing, testing - [ ] Validate user input to avoid common vulnerabilities (e.g. `XSS`, `SQL-Injection`, `Remote Code Execution`, etc.). - [ ] Don't use any sensitive data (`credentials`, `Passwords`, `security tokens`, or `API keys`) in the URL, but use standard Authorization header. - [ ] Use an API Gateway service to enable caching, Rate Limit policies (e.g. `Quota`, `Spike Arrest`, or `Concurrent Rate Limit`) and deploy APIs resources dynamically. +- [ ] Use API signature to prevent some guy testing manually or automatically ## Processing - [ ] Check if all the endpoints are protected behind authentication to avoid broken authentication process. From f04c3e4681a465f1adcd42d3e45cd9427ed8773b Mon Sep 17 00:00:00 2001 From: manutd Date: Thu, 14 Jul 2022 11:02:35 +0700 Subject: [PATCH 2/2] check for IODR on Processing --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ef3afdd..e7e7fea 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,7 @@ Checklist of the most important security countermeasures when designing, testing - [ ] Use a CDN for file uploads. - [ ] If you are dealing with huge amount of data, use Workers and Queues to process as much as possible in background and return response fast to avoid HTTP Blocking. - [ ] Do not forget to turn the DEBUG mode OFF. +- [ ] Make sure id send via params/query string (uid, cid... for example) is owned by user requested API to prevent IODR ## Output - [ ] Send `X-Content-Type-Options: nosniff` header.