Additional configuration recommendations for API7:2023 Security Misconfiguration

[securitylevelup]

The topic of Security Misconfiguration is broad and can easily turn into a large checklist of things to recommend. That said, is it beneficial to at least add several configuration recommendations in the main content such as:

• Implementing HSTS (HTTP Strict Transport Security)
• Configuring proper Allow Origin / X-Frame-Options headers
• Verifying Content-Type: application/graphql headers for GraphQL requests and blocking other or missing content-types.

Especially with the growth in GraphQL usage, I would recommend more examples and focus on protecting against GraphQL attacks.

[ErezYalon]

Thanks for the feedback.
Since The API Security Top 10 is an awareness document and not a "follow this list to be secure", we are not trying to supply comprehensive configuration and hardening lists. Giving examples of recommendations of different types make sense.
Another idea is maybe to add references to such trusted lists, from OWASP, or external.

[PauloASilva]

The topic of Security Misconfiguration is broad and can easily turn into a large checklist of things to recommend. That said, is it beneficial to at least add several configuration recommendations in the main content such as:

* Implementing HSTS (HTTP Strict Transport Security)
* Configuring proper Allow Origin / X-Frame-Options headers

Despite Security Headers are (briefly) covered in the "Is the API Vulnerable?" section: "Security or cache control directives are not sent to clients" and OWASP Secure Headers Project is already one of the references, I believe we can reinforce the "How to Prevent" recommendations.

* Verifying Content-Type: application/graphql headers for GraphQL requests and blocking other or missing content-types.

This recommendation makes sense in general and not only for GraphQL.

Especially with the growth in GraphQL usage, I would recommend more examples and focus on protecting against GraphQL attacks.

We would love to have not only more GraphQL examples, but also examples for other API protocols such as RPC. So, feel free to contribute them.

@securitylevelup would you like to review PR #106 and #107 and let me know whether your concerns/suggestions are addressed?

Cheers,
Paulo A. Silva

[securitylevelup]

I will take a look at specific GraphQL examples to contribute to the list. For now, I reviewed #106 and #107 and that looks great! Thanks for adding that in.