Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

  1. Client-side SHOULD be completely build using mature JavaScript APIs (not ActiveX or Java):

    1. JSON code MUST only be parsed with a secure JavaScript API such as JSON.parse() (not eval()).

    2. Instead of unsafe JavaScript APIs that do allow to write HTML code directly (e.g. „.innerHTML“), safe APIs SHOULD be used that only write text output (e.g. „.innerText“ or „.textContent“). The same requirement applies to web frameworks that provide such functionality.

  2. HTTP header that enforce client-side security MUST be implemented according to Appendix A: Requirements for HTTP Security Header.

  3. Only confidential user data MAY be stored on the client-side but this SHOULD only be be in an encrypted way.

  4. Non-confidential user states or meta-information MUST only be stored with sufficient integrity protection (e.g. as a signed JWT token).

  • No labels