You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A [=URI=] MUST never contain a trailing slash. When requesting a resource including a trailing slash, this MUST result in a `404` (not found) error response and not a redirect. This forces API consumers to use the correct [=URI=].
90
+
A [=URI=] MUST NOT contain a trailing slash. When requesting a resource including a trailing slash, this MUST result in a `404` (not found) error response and not a redirect. This forces API consumers to use the correct [=URI=].
91
91
<div class="note">
92
92
This rule does not apply to the root resource (append <code>/</code> to the service root URL).
93
93
</div>
@@ -386,7 +386,7 @@ Although the REST architectural style does not impose a specific protocol, REST
386
386
<dl>
387
387
<dt>Statement</dt>
388
388
<dd>
389
-
Always use the semantically appropriate HTTP <a href="https://www.rfc-editor.org/rfc/rfc9110#name-status-codes">status code</a> ([[rfc9110]]) for the response.
389
+
An API MUST use the semantically appropriate HTTP <a href="https://www.rfc-editor.org/rfc/rfc9110#name-status-codes">status code</a> ([[rfc9110]]) for the response.
Model resource operations as a sub-resource or dedicated resource</a>.
473
+
Resource operations MUST be modelled as a sub-resource or dedicated resource</a>.
474
474
</dd>
475
475
<dt>Rationale</dt>
476
476
<dd>
@@ -591,7 +591,7 @@ Changes in APIs are inevitable. APIs should therefore always be versioned, facil
591
591
<dl>
592
592
<dt>Statement</dt>
593
593
<dd>
594
-
Implement well-documented deprecation schedules that are communicated in a timely fashion.
594
+
The API owner SHOULD implement well-documented deprecation schedules that are communicated in a timely fashion.
595
595
</dd>
596
596
<dt>Rationale</dt>
597
597
<dd>
@@ -651,7 +651,7 @@ Changes in APIs are inevitable. APIs should therefore always be versioned, facil
651
651
<dl>
652
652
<dt>Statement</dt>
653
653
<dd>
654
-
Publish a changelog.
654
+
A changelog MUST be publised for every API version.
655
655
</dd>
656
656
<dt>Rationale</dt>
657
657
<dd>
@@ -666,7 +666,7 @@ Changes in APIs are inevitable. APIs should therefore always be versioned, facil
666
666
<dl>
667
667
<dt>Statement</dt>
668
668
<dd>
669
-
Implement Semantic Versioning.
669
+
Semantic Versioning MUST be used for API versioning.
670
670
</dd>
671
671
<dt>Rationale</dt>
672
672
<dd>
@@ -685,7 +685,7 @@ Changes in APIs are inevitable. APIs should therefore always be versioned, facil
685
685
<dl>
686
686
<dt>Statement</dt>
687
687
<dd>
688
-
Return the API-Version header.
688
+
The API-Version header MUST be returned in a response header in every response.
689
689
</dd>
690
690
<dt>Rationale</dt>
691
691
<dd>
@@ -722,7 +722,7 @@ Note: security controls for signing and encrypting of application level messages
722
722
<dl>
723
723
<dt>Statement</dt>
724
724
<dd>
725
-
<p>One should secure all APIs assuming they can be accessed from any location on the internet. Information MUST be exchanged over TLS-based secured connections. No exceptions, so everywhere and always. This is <a href="https://wetten.overheid.nl/BWBR0048156/2023-07-01">required by law</a>.
725
+
<p>Information exchanged by APIs MUST be secured using TLS-based connections. No exceptions, so everywhere and always. This is <a href="https://wetten.overheid.nl/BWBR0048156/2023-07-01">required by law</a>.
726
726
<p>One MUST follow the latest NCSC guidelines [[NCSC 2025]].
727
727
</dd>
728
728
<dt>Rationale</dt>
@@ -791,7 +791,7 @@ For outbound filtering, the main concern is leaking of information.
791
791
<dl>
792
792
<dt>Statement</dt>
793
793
<dd>
794
-
Return API security headers in all server responses to instruct the client to act in a secure manner
794
+
API security headers MUST be returned in all server responses to instruct the client to act in a secure manner
795
795
</dd>
796
796
<dt>Rationale</dt>
797
797
<dd>
@@ -872,7 +872,7 @@ For outbound filtering, the main concern is leaking of information.
872
872
<dl>
873
873
<dt>Statement</dt>
874
874
<dd>
875
-
Use CORS to restrict access from other domains for applicable resources
875
+
CORS MUST be used to restrict access from other domains for applicable resources
876
876
</dd>
877
877
<dt>Rationale</dt>
878
878
<dd>
@@ -904,23 +904,22 @@ All browser-based applications SHOULD follow the best practices specified in [OA
904
904
These applications can be split into three architectural patterns:
905
905
906
906
* JavaScript applications with a backend; with this class of applications, the backend is the confidential client and should intermediate any interaction, with tokens never ending up in the browser.
907
-
Effectively, these are not different from regular web-application for this security facet, even though they leverage JavaScript for implementation.
907
+
Effectively, these are not different from regular web-application for this security facet, even though they leverage JavaScript for implementation.
908
908
* JavaScript applications that share a domain with the API (resource server); these can leverage cookies marked as HTTP-Only, Secure and SameSite.
909
909
* JavaScript applications without a backend; these clients are considered public clients, and are potentially more vulnerable to several types of attacks, including Cross-Site Scripting (XSS), Cross Site Request Forgery (CSRF) and OAuth token theft.
910
-
In order to support these clients, the Cross-Origin Resource Sharing (CORS) policy mentioned above is critical and MUST be supported.
910
+
In order to support these clients, the Cross-Origin Resource Sharing (CORS) policy mentioned above is critical and MUST be supported.
911
911
912
912
### Validate content types
913
913
914
-
A REST request or response body SHOULD match the intended content type in the header.
915
-
Otherwise this could cause misinterpretation at the consumer/producer side and lead to code injection/execution.
914
+
A REST request or response body SHOULD match the intended content type in the header. Otherwise this could cause misinterpretation at the consumer/producer side and lead to code injection/execution.
916
915
917
-
*Reject requests containing unexpected or missing content type headers with HTTP response status `406 Not Acceptable` or `415 Unsupported Media Type`.
918
-
*Avoid accidentally exposing unintended content types by explicitly defining content types e.g. Jersey (Java) `@consumes("application/json"); @produces("application/json")`.
919
-
This avoids XXE-attack vectors for example.
916
+
*Requests containing unexpected or missing content type headers MUST be rejected with HTTP response status `406 Not Acceptable` or `415 Unsupported Media Type`.
917
+
*Accidentally exposing unintended content types MUST be avoided by explicitly defining content types e.g. Jersey (Java) `@consumes("application/json"); @produces("application/json")`.
918
+
This avoids XXE-attack vectors for example.
920
919
921
-
It is common for REST services to allow multiple response types (e.g. `application/xml` or `application/json`, and the client specifies the preferred order of response types by the Accept header in the request.
920
+
It is common for REST services to allow multiple response types (e.g. `application/xml` or `application/json`) in which case then the client specifies the preferred order of response types by the Accept header in the request.
922
921
923
-
* Do NOT simply copy the `Accept` header to the `Content-type` header of the response.
922
+
* Do not simply copy the `Accept` header to the `Content-type` header of the response.
924
923
* Reject the request (ideally with a `406 Not Acceptable` response) if the Accept header does not specifically contain one of the allowable types.
925
924
926
925
Services (potentially) including script code (e.g. JavaScript) in their responses MUST be especially careful to defend against header injection attacks.
0 commit comments