I don't think the Security BCP should incorporate cookie best practices directly in the document. If anything, it sounds like possibly a candidate for inclusion in the Browser Apps BCP.
There are already some mentions of these cookie properties mentioned in the Browser Apps BCP, though only in reference to specific architectures, not as a general best practice. For example: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html#pattern-bff-cookie-security Aaron On Sun, Nov 5, 2023 at 10:48 AM Dick Hardt <dick.ha...@gmail.com> wrote: > Hey > > I was reviewing security on some sites I managed and checked to see if the > recommendations were in the BCP. > > I don't see anything around cookies such as httpOnly, sameSite, secure. > > I saw some HTTP security header suggestions buried in 4.16 > (X-Frame-Options, CSP), but not for Strict-Transport-Security, > Permissions-Policy, or X-Content-Type-Options, and the CSP guidance is > rather vague. > > I understand these are general web security best practices, and perhaps I > missed it, but I think it would be useful to call out that best security > practices around cookies and headers should also be followed in Section 2, > and either have the best practices included, or direct the reader where to > find them. > > /Dick > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
