Comments (3)
The topic of Security Misconfiguration is broad and can easily turn into a large checklist of things to recommend. That said, is it beneficial to at least add several configuration recommendations in the main content such as:
* Implementing HSTS (HTTP Strict Transport Security) * Configuring proper Allow Origin / X-Frame-Options headers
Despite Security Headers are (briefly) covered in the "Is the API Vulnerable?" section: "Security or cache control directives are not sent to clients" and OWASP Secure Headers Project is already one of the references, I believe we can reinforce the "How to Prevent" recommendations.
* Verifying Content-Type: application/graphql headers for GraphQL requests and blocking other or missing content-types.
This recommendation makes sense in general and not only for GraphQL.
Especially with the growth in GraphQL usage, I would recommend more examples and focus on protecting against GraphQL attacks.
We would love to have not only more GraphQL examples, but also examples for other API protocols such as RPC. So, feel free to contribute them.
@securitylevelup would you like to review PR #106 and #107 and let me know whether your concerns/suggestions are addressed?
Cheers,
Paulo A. Silva
from api-security.
I will take a look at specific GraphQL examples to contribute to the list. For now, I reviewed #106 and #107 and that looks great! Thanks for adding that in.
from api-security.
Thanks for the feedback.
Since The API Security Top 10 is an awareness document and not a "follow this list to be secure", we are not trying to supply comprehensive configuration and hardening lists. Giving examples of recommendations of different types make sense.
Another idea is maybe to add references to such trusted lists, from OWASP, or external.
from api-security.
Related Issues (20)
- 2023RC API8: Suggestion for the Prevention about detecting Non-human patterns
- Inconsistent Naming Improper Inventory Management HOT 1
- Risk factors in all categories need rewrite HOT 4
- OWASP Production - need a license HOT 1
- OWASP Public Slack Channel HOT 1
- OWASP Production - all leaders are admins HOT 1
- OSSF passing - release notes for 2023 HOT 3
- OpenSSF passing - need a build script HOT 1
- Categorizations, rankings & data veracity. HOT 4
- Contradictory risk classification for "Unsafe Consumption of APIs" HOT 1
- Persian Translation for 2023 HOT 4
- Translation to Portuguese (pt-PT) for 2023 version HOT 2
- Translation to French (fr) for 2023 version HOT 1
- Translation to brasilian portuguese (pt-BR) HOT 3
- Missing link or resource in API2:2023
- Differentiation Between OWASP Top 10 and API Top 10? HOT 8
- Need a demo application having all top 10 api risks HOT 6
- API Lifecycle management HOT 1
- Odata with EF and .Net core Security risks with Front End queries through web components HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from api-security.