The only rationale for incorporating cookie and header best practices in the BCP would be if there is not a "good" reference to refer the reader to.
Aaron: Do you agree that the BCP should call out that cookie and header best practices should be followed? On Sun, Nov 5, 2023 at 11:03 AM Aaron Parecki <aa...@parecki.com> wrote: > I don't think the Security BCP should incorporate cookie best practices > directly in the document. If anything, it sounds like possibly a candidate > for inclusion in the Browser Apps BCP. > > There are already some mentions of these cookie properties mentioned in > the Browser Apps BCP, though only in reference to specific architectures, > not as a general best practice. For example: > > > https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html#pattern-bff-cookie-security > > Aaron > > On Sun, Nov 5, 2023 at 10:48 AM Dick Hardt <dick.ha...@gmail.com> wrote: > >> Hey >> >> I was reviewing security on some sites I managed and checked to see if >> the recommendations were in the BCP. >> >> I don't see anything around cookies such as httpOnly, sameSite, secure. >> >> I saw some HTTP security header suggestions buried in 4.16 >> (X-Frame-Options, CSP), but not for Strict-Transport-Security, >> Permissions-Policy, or X-Content-Type-Options, and the CSP guidance is >> rather vague. >> >> I understand these are general web security best practices, and perhaps I >> missed it, but I think it would be useful to call out that best security >> practices around cookies and headers should also be followed in Section 2, >> and either have the best practices included, or direct the reader where to >> find them. >> >> /Dick >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
