| Info |
|---|
In the case of cryptographic requirements exist, they should be referenced here. |
Only standard and mature cryptographic algorithms, operation modes, key lengths ciphers, and implementations MUST be used.
External transmissions
All external access and transmission MUST only be possible with HTTPS and valid certificates.
In addition to this, see HTTP Strict Transport Security (HSTS) requirement in section 8.12 Client-Side Securityfor protection UIs.
Perfect Forward Secrecy SHOULD be activated on external HTTPS servers.
MUST only be sent with anti-caching response headers (see Appendix A: Requirements for HTTP Security Header).
Internal transmissions
All internal access and transmissions MUST only be possible with HTTPS and valid certificates.
Application-internal (service-to-service) transmissions MAY be unencrypted if transmitted within trusted environments.
General TransmissionGeneral Transmission
Transmission of sensitive data SHOULD generally only be possible via TLS/HTTPS.
In cases where access requires HTTPS, requests via HTTP MUST be redirected to HTTPS. This SHOULD be implemented with a permanent redirection (HTTP 301).
HTTPS servers MUST only support current secure ciphers and protocols. Insecure ones (e.g. SSLv2 and RC4 cipher) MUST be deactivated.
Confidential data MUST only be sent within the HTTP Request Body (e.g. via HTTP POST) but not within URLs (exception: object IDs).
Transmission on untrusted channels (e.g. the Internet) MUST
only be possible with HTTPS using valid certificates.
using HTTP Strict Transport Security (HSTS) headers 8.12 Client-Side Security and
only be sent with anti-caching response headers (see Appendix A: Requirements for HTTP Security Header).
Encryption at Rest
Confidential data MUST be encrypted before stored on the client-side or on external cloud environments.Confidential data SHOULD be encrypted before stored on internal systems.
User passwords MUST be persisted with suitable methods (see section 8.6 User Passwords I: Strength and Usage).