Walk through OWASP REST security checklist - Githubissues

StartupAPI / users

:zap: User management tool to be used in on-line projects. Includes admin dashboard.

http://www.StartupAPI.com/

MIT License

60 stars 24 forks source link

Walk through OWASP REST security checklist #271

Open sergeychernyshev opened 8 years ago

sergeychernyshev commented 8 years ago

OWASP maintains a REST API security checklist: https://www.owasp.org/index.php/REST_Security_Cheat_Sheet

Verify things are currently done and create tickets for things that are not supported.

Create a checklist wiki page for this project and document how things are secured.

As of December 27, 2017 the list consists of:

[x] HTTPS (#280)
[ ] Access Control
[ ] JWT
[ ] API Keys
[x] Restrict HTTP methods (405 returned when \StartupAPI\API\MethodNotAllowedException is caught api.php#L142)
[ ] Input Validation
[ ] Validate Content Types
- [ ] Validate request content types
- [ ] Send safe response content types
[ ] Management endpoints
[ ] Error handling
[ ] Audit logs
[ ] Security headers
- [ ] CORS
[ ] Sensitive information in HTTP requests
[ ] HTTP Return Code