| Info |
|---|
In the case of cryptographic requirements exist, they should be referenced here. |
Only standard and mature cryptographic algorithms, operation modes, key lengths ciphers, and implementations MUST be used.
General Transmission
Transmission of sensitive data SHOULD generally only be possible via TLS/HTTPS.
In cases where access requires HTTPS, requests via HTTP MUST be redirected to HTTPS. This SHOULD be implemented with a permanent redirection (HTTP 301).
HTTPS servers MUST only support current secure ciphers and protocols. Insecure ones (e.g. SSLv2 and RC4 cipher) MUST be deactivated.
Confidential data MUST only be sent within the HTTP Request Body (e.g. via HTTP POST) but not within URLs (exception: object IDs).
Transmission on untrusted channels (e.g. the Internet) MUST
only be possible with HTTPS using valid certificates.
using HTTP Strict Transport Security (HSTS) headers 8.12 13 Client-Side Security and
only be sent with anti-caching response headers (see Appendix A: Requirements for HTTP Security Header).
Encryption at Rest
Confidential data MUST be encrypted before stored on the client-side or on external cloud environments.
User passwords MUST be persisted with suitable methods (see section 8.6 User Passwords I: Strength and Usage).