Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: add "OWASP API Security Top 10 2023" to Security Guidelines #8669

Merged
merged 2 commits into from
Apr 5, 2024
Merged

docs: add "OWASP API Security Top 10 2023" to Security Guidelines #8669

merged 2 commits into from
Apr 5, 2024

Conversation

kenjis
Copy link
Member

@kenjis kenjis commented Mar 28, 2024
edited
Loading

Needs #8652

Description

  • add "OWASP API Security Top 10 2023"

Frankly, CI4 offers very few features for API Security.

Checklist:

  • Securely signed commits
  • [] Component(s) with PHPDoc blocks, only if necessary or adds value
  • [] Unit testing, with >80% coverage
  • User guide updated
  • [] Conforms to style guide

@kenjis kenjis added the documentation Pull requests for documentation only label Mar 28, 2024
@kenjis kenjis marked this pull request as draft March 28, 2024 08:53
@github-actions github-actions bot added the stale Pull requests with conflicts label Mar 29, 2024
@github-actions GitHub Actions
Copy link

👋 Hi, @kenjis!

We detected conflicts in your PR against the base branch 🙊
You may want to sync 🔄 your branch with upstream!

Ref: Syncing Your Branch

@kenjis kenjis force-pushed the docs-security-top10-api branch from fb5d619 to 6205a66 Compare March 29, 2024 05:26
@kenjis kenjis removed the stale Pull requests with conflicts label Mar 29, 2024
@kenjis kenjis force-pushed the docs-security-top10-api branch from 6205a66 to 24089a3 Compare April 3, 2024 21:48
@kenjis kenjis marked this pull request as ready for review April 3, 2024 21:49
@kenjis
Copy link
Member Author

kenjis commented Apr 5, 2024

This is the last PR for v4.4.8.
Review, please.

datamweb
datamweb approved these changes Apr 5, 2024
View reviewed changes
user_guide_src/source/concepts/security.rst
OWASP recommendations
---------------------

- Implement a proper authorization mechanism that relies on the user policies and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this case a good job is done by lonnieezell:
https://github.com/lonnieezell/forum-example/blob/develop/_docs/policies.md

user_guide_src/source/concepts/security.rst

- When exposing an object using an API endpoint, always make sure that the user
should have access to the object's properties you expose.
- Avoid using generic methods such as to_json() and to_string(). Instead,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are (to_json() and to_string())codes, it is better to specify them as codes.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since CI does not provide such methods, why not just leave it as it is?

@kenjis kenjis merged commit e05781b into codeigniter4:develop Apr 5, 2024
3 checks passed
@kenjis kenjis deleted the docs-security-top10-api branch April 5, 2024 23:22
@kenjis kenjis mentioned this pull request Apr 6, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@datamweb datamweb datamweb approved these changes

Assignees
No one assigned
Labels
documentation Pull requests for documentation only
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kenjis @datamweb