From 85a86866e1d30a86e3e94252e7d07687d8aeaeff Mon Sep 17 00:00:00 2001 From: germas Date: Mon, 25 Jul 2016 17:53:04 -0700 Subject: [PATCH] typo --- security-checklist.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-checklist.md b/security-checklist.md index df8df33..381200c 100644 --- a/security-checklist.md +++ b/security-checklist.md @@ -23,7 +23,7 @@ - [ ] Any resource access like, `my cart`, `my history` should check the logged in user's ownership of the resource using session id. - [ ] Serially iterable resource id should be avoided. Use `/me/orders` instead of `/user/37153/orders`. This acts as a sanity check in case you forgot to check for authorization token. - [ ] `Edit email/phone number` feature should be accompanied by a verification email to the owner of the account. -- [ ] Any upload feature should sanitize the filename provided by the user. Also, for generally reasons apart from security, upload to something like S3 (and post-process using lambda) and not your own server capable of executing code. +- [ ] Any upload feature should sanitize the filename provided by the user. Also, for general reasons apart from security, upload to something like S3 (and post-process using lambda) instead of your own server capable of executing code. - [ ] `Profile photo upload` feature should sanitize all the `EXIF` tags also if not required. - [ ] For user ids and other ids, use [RFC compliant ](http://www.ietf.org/rfc/rfc4122.txt) `UUID` instead of integers. You can find an implementation for this for your language on Github. - [ ] JWT are awesome. Use them if required for your single page app/APIs.