diff --git a/README.md b/README.md index 54920e1..1f4db2f 100644 --- a/README.md +++ b/README.md @@ -38,8 +38,9 @@ Checklist of the most important security countermeasures when designing, testing - [ ] Validate `content-type` of posted data as you accept (e.g., `application/x-www-form-urlencoded`, `multipart/form-data`, `application/json`, etc.). - [ ] Validate user input to avoid common vulnerabilities (e.g., `XSS`, `SQL-Injection`, `Remote Code Execution`, etc.). - [ ] Don't use any sensitive data (`credentials`, `Passwords`, `security tokens`, or `API keys`) in the URL, but use standard Authorization header. +- [ ] Use an API Gateway service to enable caching, Rate Limit policies (e.g. `Quota`, `Spike Arrest`, or `Concurrent Rate Limit`) and deploy APIs resources dynamically. +- [ ] Use API signature to prevent some guy testing manually or automatically - [ ] Use only server-side encryption. -- [ ] Use an API Gateway service to enable caching, Rate Limit policies (e.g., `Quota`, `Spike Arrest`, or `Concurrent Rate Limit`) and deploy APIs resources dynamically. ## Processing - [ ] Check if all the endpoints are protected behind authentication to avoid broken authentication process. @@ -50,6 +51,7 @@ Checklist of the most important security countermeasures when designing, testing - [ ] Use a CDN for file uploads. - [ ] If you are dealing with huge amount of data, use Workers and Queues to process as much as possible in background and return response fast to avoid HTTP Blocking. - [ ] Do not forget to turn the DEBUG mode OFF. +- [ ] Make sure id send via params/query string (uid, cid... for example) is owned by user requested API to prevent IODR - [ ] Use non-executable stacks when available. ## Output