Rationales #8
Comments
|
I agree that seeing the rationale would be great, but please don't do this within the checklist, as you probably don't want to read it every time you read the checklist. |
|
A very good idea . May be we can start to make a seperate files as a reference to every check point. |
|
How about wiki pages that are linked to from the list? |
|
Without a rational for each recommendation, the checklist is not very useful (to me at least). Security is never perfect or absolute, so whether and how to secure something depends on how sensitive the data is and who you are protecting it from. And while some practices are widely accepted, there are disagreements about others. Take for example the discussions on Basic Auth and JWT in the issues on this repo. A rational for why the author(s) of this checklist recommend to use JWT Bearer Auth over Basic Auth would be good. (IMO, neither is perfect, but both can be good enough for some APIs) |
|
I agree that this list does not come across as useful to me. A security checklist asking its users to follow its advice without question paradoxically undermines the security-conscious process and mindset the checklist appears to support. |
|
Anyone want to try having a go at this, make some PRs, etc? |
Each thing in the list deserves a file on the rationale behind it, even if those are largely URLs.
The text was updated successfully, but these errors were encountered: