I agree with Aaron!
Also we should be very careful about any additions to the Security BCP
at this point. It is very easy to re-start the "one more thing" loop
we've been stuck in for the last years. There may be more useful things
to say, but we should put them on the list for a future second version
of the BCP.
-Daniel
Am 05.11.23 um 20:03 schrieb Aaron Parecki:
I don't think the Security BCP should incorporate cookie best
practices directly in the document. If anything, it sounds like
possibly a candidate for inclusion in the Browser Apps BCP.
There are already some mentions of these cookie properties mentioned
in the Browser Apps BCP, though only in reference to specific
architectures, not as a general best practice. For example:
https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html#pattern-bff-cookie-security
Aaron
On Sun, Nov 5, 2023 at 10:48 AM Dick Hardt <dick.ha...@gmail.com> wrote:
Hey
I was reviewing security on some sites I managed and checked to
see if the recommendations were in the BCP.
I don't see anything around cookies such as httpOnly, sameSite,
secure.
I saw some HTTP security header suggestions buried in 4.16
(X-Frame-Options, CSP), but not for Strict-Transport-Security,
Permissions-Policy, or X-Content-Type-Options, and the CSP
guidance is rather vague.
I understand these are general web security best practices, and
perhaps I missed it, but I think it would be useful to call out
that best security practices around cookies and headers should
also be followed in Section 2, and either have the best practices
included, or direct the reader where to find them.
/Dick
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
