Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional configuration recommendations for API7:2023 Security Misconfiguration #104

Closed
securitylevelup opened this issue Mar 15, 2023 · 3 comments
Closed

Additional configuration recommendations for API7:2023 Security Misconfiguration #104

securitylevelup opened this issue Mar 15, 2023 · 3 comments
Assignees
@PauloASilva
Labels
2023RC enhancement New feature or request

Comments

@securitylevelup
Copy link
Contributor

The topic of Security Misconfiguration is broad and can easily turn into a large checklist of things to recommend. That said, is it beneficial to at least add several configuration recommendations in the main content such as:

  • Implementing HSTS (HTTP Strict Transport Security)
  • Configuring proper Allow Origin / X-Frame-Options headers
  • Verifying Content-Type: application/graphql headers for GraphQL requests and blocking other or missing content-types.

Especially with the growth in GraphQL usage, I would recommend more examples and focus on protecting against GraphQL attacks.
@ErezYalon
Copy link
Member

Thanks for the feedback.
Since The API Security Top 10 is an awareness document and not a "follow this list to be secure", we are not trying to supply comprehensive configuration and hardening lists. Giving examples of recommendations of different types make sense.
Another idea is maybe to add references to such trusted lists, from OWASP, or external.

PauloASilva added a commit that referenced this issue Mar 18, 2023
@PauloASilva
feat: Add recommendation regarding supported incoming content types
1ae47b3 
Addresses a concern raised on issue #104.
PauloASilva added a commit that referenced this issue Mar 18, 2023
@PauloASilva
refactor: add a reference to Security Headers on "How to Prevent" sec…
6c7e6bd 
…tion

Addresses feedback provided on issue #104 regarding Security Headers.
This was referenced Mar 18, 2023
Merged
Merged
@PauloASilva
Copy link
Collaborator

PauloASilva commented Mar 18, 2023
edited
Loading

The topic of Security Misconfiguration is broad and can easily turn into a large checklist of things to recommend. That said, is it beneficial to at least add several configuration recommendations in the main content such as:

* Implementing HSTS (HTTP Strict Transport Security)
* Configuring proper Allow Origin / X-Frame-Options headers

Despite Security Headers are (briefly) covered in the "Is the API Vulnerable?" section: "Security or cache control directives are not sent to clients" and OWASP Secure Headers Project is already one of the references, I believe we can reinforce the "How to Prevent" recommendations.

* Verifying Content-Type: application/graphql headers for GraphQL requests and blocking other or missing content-types.

This recommendation makes sense in general and not only for GraphQL.

Especially with the growth in GraphQL usage, I would recommend more examples and focus on protecting against GraphQL attacks.

We would love to have not only more GraphQL examples, but also examples for other API protocols such as RPC. So, feel free to contribute them.

@securitylevelup would you like to review PR #106 and #107 and let me know whether your concerns/suggestions are addressed?

Cheers,
Paulo A. Silva

@securitylevelup
Copy link
Contributor Author

I will take a look at specific GraphQL examples to contribute to the list. For now, I reviewed #106 and #107 and that looks great! Thanks for adding that in.

@PauloASilva PauloASilva added enhancement New feature or request 2023RC labels Mar 22, 2023
PauloASilva added a commit that referenced this issue Apr 27, 2023
@PauloASilva
feat(A7:2023RC): Add recommendation regarding supported incoming cont…
e3c777c 
…ent types

Closes #104
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PauloASilva PauloASilva

Labels
2023RC enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@PauloASilva @ErezYalon @securitylevelup