You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I agree that seeing the rationale would be great, but please don't do this within the checklist, as you probably don't want to read it every time you read the checklist.
Without a rational for each recommendation, the checklist is not very useful (to me at least).
Security is never perfect or absolute, so whether and how to secure something depends on how sensitive the data is and who you are protecting it from. And while some practices are widely accepted, there are disagreements about others. Take for example the discussions on Basic Auth and JWT in the issues on this repo. A rational for why the author(s) of this checklist recommend to use JWT Bearer Auth over Basic Auth would be good. (IMO, neither is perfect, but both can be good enough for some APIs)
I agree that this list does not come across as useful to me. A security checklist asking its users to follow its advice without question paradoxically undermines the security-conscious process and mindset the checklist appears to support.
Activity
alexchamberlain commentedon Jul 9, 2017
I agree that seeing the rationale would be great, but please don't do this within the checklist, as you probably don't want to read it every time you read the checklist.
netcode commentedon Jul 9, 2017
A very good idea . May be we can start to make a seperate files as a reference to every check point.
StillLearnin commentedon Mar 25, 2018
How about wiki pages that are linked to from the list?
darioseidl commentedon Oct 1, 2021
Without a rational for each recommendation, the checklist is not very useful (to me at least).
Security is never perfect or absolute, so whether and how to secure something depends on how sensitive the data is and who you are protecting it from. And while some practices are widely accepted, there are disagreements about others. Take for example the discussions on Basic Auth and JWT in the issues on this repo. A rational for why the author(s) of this checklist recommend to use JWT Bearer Auth over Basic Auth would be good. (IMO, neither is perfect, but both can be good enough for some APIs)
montchr commentedon Jun 14, 2022
I agree that this list does not come across as useful to me. A security checklist asking its users to follow its advice without question paradoxically undermines the security-conscious process and mindset the checklist appears to support.
Maikuolan commentedon Jul 24, 2022
Anyone want to try having a go at this, make some PRs, etc?