Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

release version 1.0.2 #3

Merged
merged 5 commits into from
Jun 6, 2024
Merged

release version 1.0.2 #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
56b9199
Update transport-security.md
fterpstra Aug 4, 2023
aa0c178
kebab-case
sanderke May 27, 2024
051eecc
Merge pull request #1 from Logius-standaarden/update-security-modules
mrtn78 Jun 6, 2024
1ef6e8f
Update config.js versionnr, data, editors
mrtn78 Jun 6, 2024
437d775
Merge pull request #2 from Logius-standaarden/mrtn78-patch-102
mrtn78 Jun 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 21 additions & 9 deletions js/config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,27 @@ let respecConfig = {
shortName: "mod-ts",
specType: "HR",
specStatus: "DEF",
publishDate: "2024-03-07",
publishVersion: "1.0.1",
previousPublishVersion: "1.0.0",
previousPublishDate: "2023-12-21",
editors: [{
name: "Kennisplatform API's",
company: "Kennisplatform API's",
companyURL: "https://github.com/Geonovum/KP-APIs",
}],
publishDate: "2024-06-06",
publishVersion: "1.0.2",
previousPublishVersion: "1.0.1",
previousPublishDate: "2024-03-07",
editors: [
{
"company" : "Geonovum",
"companyURL" : "https://www.geonovum.nl",
"name" : "Frank Terpstra"
},
{
"company" : "Logius",
"companyURL" : "https://www.logius.nl",
"name" : "Alexander Green"
},
{
"company" : "Logius",
"companyURL" : "https://www.logius.nl",
"name" : "Martin van der Plas"
}
],
authors: [{
name: "Kennisplatform API's",
company: "Kennisplatform API's",
Expand Down
19 changes: 11 additions & 8 deletions transport-security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,16 +11,18 @@ Note: security controls for signing and encrypting of application level messages
## Transport security
One should secure all APIs assuming they can be accessed from any location on the internet. Information MUST be exchanged over TLS-based secured connections. No exceptions, so everywhere and always. This is [required by law](https://wetten.overheid.nl/BWBR0048156/2023-07-01). One SHOULD follow [the latest NCSC guidelines for TLS](https://english.ncsc.nl/publications/publications/2021/january/19/it-security-guidelines-for-transport-layer-security-2.1)

<div class="rule" id="api-11">
<p class="rulelab"><strong>API-11</strong>: Secure connections using TLS</p>
<span id="api-11"></span>
<div class="rule" id="/transport/tls">
<p class="rulelab"><strong>/transport/tls</strong>: Secure connections using TLS</p>
<p>Secure connections using TLS following the latest NCSC guidelines [[NCSC.TLS]].</p>
<p>Since the connection is always secured, the access method can be straightforward. This allows the application of basic access tokens instead of encrypted access tokens.</p>
</div>

Even when using TLS-based secured connections information in URIs is not secured. URIs can be cached and logged outside of the servers controlled by clients and servers. Any information contained in them should therfor be considered readable by anyone with access to the netwerk being used (in case of the internet the whole world) and MUST NOT contain any sensitive information. Neither client secrets used for authentication, privacy sensitive informations suchs as BSNs nor any other information which should not be shared. Be aware that queries (anything after the '?' in a URI) are also part of an URI.

<div class="rule" id="api-58">
<p class="rulelab"><strong>API-58</strong>: No sensitive information in URIs</p>
<span id="api-58"></span>
<div class="rule" id="/transport/no-sensitive-uris">
<p class="rulelab"><strong>/transport/no-sensitive-uris</strong>: No sensitive information in URIs</p>
<p>Do not put any sensitive information in URIs</p>
<p>Even when the connection is secure URIs can be cached and logged, in systems outside the control of client and/or server.</p>
</div>
Expand Down Expand Up @@ -48,8 +50,8 @@ System-to-system (sometimes called machine-to-machine) may have a need for the l

### Security Headers

<div class="rule" id="security-headers">
<p class="rulelab"><strong>security-headers</strong>: Use mandatory security headers in API all responses</p>
<div class="rule" id="/transport/security-headers">
<p class="rulelab"><strong>/transport/security-headers</strong>: Use mandatory security headers in API all responses</p>
<p>Return API security headers in all server responses to instruct the client to act in a secure manner</p>
</div>

Expand Down Expand Up @@ -82,8 +84,9 @@ The precense of the mandatory security headers can be tested in an automated way

### CORS-policy

<div class="rule" id="api-50">
<p class="rulelab"><strong>API-50</strong>: Use CORS to control access</p>
<span id="api-50"></span>
<div class="rule" id="/transport/cors">
<p class="rulelab"><strong>/transport/cors</strong>: Use CORS to control access</p>
<p>Use CORS to restrict access from other domains (if applicable).</p>
</div>

Expand Down