Versions Compared

Old Version 1

changes.mady.by.user Arul Nambi

Saved on

compared with

New Version 2

changes.mady.by.user Arul Nambi

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In case of using a rest client or a browser to access a client. Most of the applications will have a rest based API when communicating with an external client. 

Recommendations[1]:

  • Use TLS, as SSL is no longer considered usable for security
  • All pages must be served over HTTPS. This includes css, scripts, images, AJAX requests, POST data and third party includes. Failure to do so creates a vector for man-in-the-middle attacks.
  • Just protecting authenticated pages with HTTPS, is not enough. Once there is one request in HTTP, man-in-the-middle attacks are possible, with the attackers being able to prevent users from reaching the secured pages.
  • The HTTP Strict Transport Security Header must be used and pre loaded into browsers. This will instruct compatible browsers to only use HTTPS, even if requested to use HTTP.
  • Cookies must be marked as Secure

...

ProtocolStatus
TLSApproved
SSLDo not use

Reference

  1. Anchor
    RP_Reference_1
    RP_Reference_1
    https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet