belgif / rest-guide

REST Guidelines of Belgian government institutions
https://www.belgif.be/specification/rest/api-guide/
Apache License 2.0
25 stars 4 forks source link

Doc resource SHOULD be non-secured #96

Closed wsalembi closed 1 year ago

wsalembi commented 2 years ago

Add a small addition to https://www.belgif.be/specification/rest/api-guide/#doc-resource

The standard resource /doc/swagger.yaml can be defined as a non-secure resource. Make sure the specification only contains publicly available documentation (no sensitive, personal or secret data) and is only exposed to the access channel (INTERNET, EXTRANET, INTERNAL) where the API is hosted. (cfr Application Security decision dd. 09/06/2022)

/doc/swagger.yaml: security: []

/doc/openapi.yaml: security: []

pvdbosch commented 2 years ago

Should this apply to the whole of /doc/* ?

Maybe it's a business decision up to providers to only expose its API documentation to users with a specific role (e.g. hide deprecated versions, targeted information, ...) vs. openness (API economy). Restricting access to EXTRANET or INTERNAL access channel is just one way of limiting access to a group of users IMO.

Mentioning access channel in the guide may however be a bit too specific to Social Security.

pvdbosch commented 2 years ago

we can remain more general in the guide: Access should at least be allowed to /doc/* content to any (potential) user of the API

pvdbosch commented 2 years ago

I'll create a PR for this change

pvdbosch commented 2 years ago

PR #97 ready for review.

Also, some technical challenges with the doc resources were also brought up during WG, but won't be included in the guide because they can be product-specific: