Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

In the case of cryptographic requirements exist, they should be referenced here.

  1. Only standard and mature cryptographic algorithms, operation modes, key lengths ciphers, and implementations MUST be used.

  2. External transmissions

    1. All external access and transmission MUST only be possible with HTTPS and valid certificates.

    2. In addition to this, see HTTP Strict Transport Security (HSTS) requirement in section 8.12 Client-Side Securityfor protection UIs.

    3. Perfect Forward Secrecy SHOULD be activated on external HTTPS servers.

    4. MUST only be sent with anti-caching response headers (see Appendix A: Requirements for HTTP Security Header).

  3. Internal transmissions

    1. All internal access and transmissions MUST only be possible with HTTPS and valid certificates.

    2. Application-internal (service-to-service) transmissions MAY be unencrypted if transmitted within trusted environments.

  4. General Transmission

    1. In cases where access requires HTTPS, requests via HTTP MUST be redirected to HTTPS. This SHOULD be implemented with a permanent redirection (HTTP 301).

    2. HTTPS servers MUST only support current secure ciphers and protocols. Insecure ones (e.g. SSLv2 and RC4 cipher) MUST be deactivated.

    3. Confidential data MUST only be sent within the HTTP Request Body (e.g. via HTTP POST) but not within URLs (exception: object IDs).

  5. Encryption at Rest

    1. Confidential data MUST be encrypted before stored on the client-side or on external cloud environments.

    2. Confidential data SHOULD be encrypted before stored on internal systems.

    3. User passwords MUST be persisted with suitable methods (see section 8.6 User Passwords I: Strength and Usage).

  • No labels