Closed ghost closed 3 years ago
delixfe
commented
3 years ago @sasl83 Are you referring to the following statement?
- The authorized user must insert the one-time password in the primary system so that it is transmitted when calling the REST API.
ghost
commented
3 years ago Hmmm you open the source and the specs but not open for other ideas as they are in the specs or refuse to implement more security as possibel. Thats a joke
You do not specify how the communication between a "authorized User" (Client) and the backend happens. IP or DNS? Secure the communication of the channels with aditional DNS stuff on both sides! NO direct IP access, Clients need to use DNS . Use all the power of DNS to really make sure communication is secure (DNSSEC/CAA/CERT/HSTS/etc...)! This makes the "authorized User" (Client) and the backend much more trusty. Note: You cant use Windows-DNS for this, use BIND on Linux.