Hey I was reviewing security on some sites I managed and checked to see if the recommendations were in the BCP.
I don't see anything around cookies such as httpOnly, sameSite, secure. I saw some HTTP security header suggestions buried in 4.16 (X-Frame-Options, CSP), but not for Strict-Transport-Security, Permissions-Policy, or X-Content-Type-Options, and the CSP guidance is rather vague. I understand these are general web security best practices, and perhaps I missed it, but I think it would be useful to call out that best security practices around cookies and headers should also be followed in Section 2, and either have the best practices included, or direct the reader where to find them. /Dick
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
