Versions Compared

Old Version 8

changes.mady.by.user Steinar Noem

Saved on

compared with

New Version 9

changes.mady.by.user Morten Holje

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

Validate every input parameter

  • Never trust input parameters, take a look at the OWASP Input Validation cheat sheet for detailed explanations

  • Validate the lenght of the input-value, valid ranges and values, format and type

  • All input parameters should be strongly typed

  • Do not accept unexpected or unknown content

  • Use libraries or framworks frameworks for validating and sanitizing input values

  • Define limits for data size in requests and reject requests that are too big by responding with the HTTP status code 413 - "Request Entity Too Large"

  • Log errors that occur during input validation, consider implementing rules that temporarily ban API-clients that often fail.

Info

Validate "content types"

If you don’t validate "content type" you open up for injecting and execution of code

  • Validate "content types" for incoming requests to your API

    • Reject requests that lack "content type", or contain unexpected "content type" values.
      Respond to such requests with HTTP status codes:

      • 406 - "Unacceptable"

      • 415 - "Unsupported Media Type"

    • Avoid exposing content types not in use by defining explicit content types.
      By doing this you can avoid XXE (XML External Entity) attacks.

  • Use safe content types in responses

    • DON'T copy the "Accept" header to the "Content-type" headeren header of the response

    • Do not accept the request if the "Accept" header doesn’t contain contains type that is not allowed.
      Reply with HTTP status code 406 - "Not Acceptable" if the type stated in the "Accept" header is not allowed.

    • Make sure "content type" headers in your responses stemmer overens  med innholdet i body.- F.eks matches content in body. Example: application/json og ikke  and not application/javascript

Info

Security headers

  • Send "Content-Type" headeren med riktig with correct content type og and charset.

  • Send sikkerhetsheaderen securityheader "X-Content-Type-Options: nosniff" for å sikre at nettleseren ikke forsøker å sette en annen Content-Type enn det som faktisk ble sendt (dette kan føre til to make sure that browser does not try to change Content-Type to something else than what was sent (Could lead to XSS).

  • Send sikkerhetsheaderen security header "X-Frame-Options: deny" for å beskytte mot "drag'n drop clickjacking" angrep i eldre nettlesere

Info

Riktig bruk av CORS.
Ved å levere passende CORS headere signaliserer REST APIet ditt hvilke domener (origins) som har lov til å gjøre JavaScript kall til REST-tjenesten

  • Deaktiver CORS headere hvis kall på tvers av domener ikke støttes eller forventes

  • Vær så spesifikk som mulig, og så generell som nødvendig når du definerer hvilke origins som er gyldige for kall på tvers av domenerto protect yourself from drag’n’drop clickjacking in older browsers.

Info

Correct use of CORS
By delivering appropriate CORS headers, your REST API signals which domains (origins) are allowed to make JavaScript calls to the REST service.

  • Disable CORS headers if cross-domain calls are not supported or expected.

  • Be as specific as possible and as general as necessary when defining which origins are valid for cross-domain calls.

Info

Make sure your APIs always sends correct HTTP response codes

...