cap-js / ord

Open Resource Discovery (ORD) is a protocol that allows applications and services to self-describe their exposed resources and capabilities. This plugin enables generation of ORD document for CAP based applications.
Apache License 2.0
3 stars 4 forks source link

Protection of metadata #52

Open Fannon opened 2 months ago

Fannon commented 2 months ago

Security of metadata in ORD Plugin (proposal from @Fannon ):

"open" is only allowed if metadata is public and static. In this case, we make it public later anyway (BAH). If metadata is tenant-specific, it needs to be protected to not leak information about customer extensions If metadata contains internal or private visibility content, then it needs to be protected and the aggregators take over responsibility for access control / protection.

For customer CAP application, we probably have to go with a default, but here we can't protect by default. So we make this a customer decision.