-
-
Notifications
You must be signed in to change notification settings - Fork 666
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
5.1.6 needs added clarity #1553
Comments
Recommendation sends wrong signal, like client-side validation is bad. It is not bad, just from security point of view, you can not rely on that. |
How about:
|
May I suggest a slight rewrite for clarity: "Client-side validation, while still useful for other purposes, which can be easily bypassed from a security perspective. |
More food for brain. We had similar discussion (#1031 (comment)) for access control requirement 4.1.1:
Also, we have a logging requirement that kind of expects, that all input validation is done on the client side, other wise you have a lot of noise to log on the trusted service layer. If input validation is done in the client side, then you have only 2 cases to log as input validation errors:
|
Can we go with something like that? or Verify that input validation is enforced on a trusted service layer. Client-Side input validation is recommended to use for better usability but security can not rely on that. |
I like it Elar. Small change suggestion: Verify that input validation is enforced at a trusted server-side layer. While client-side validation improves usability, security must not rely solely on it. |
Minor change: (We wanted to move away from the "server-side" expression).
This should be added to the new section described here: #1484 (comment) Should also add an entry to recommendations:
|
@elarlang to create the PR |
I have done this with: 6b92836 |
Otherwise I think we are good on this one |
Suggest change:
to:
The text was updated successfully, but these errors were encountered: