RE: Content security model

> > 3) HTTP security controls should only secure content.
> > Signing headers is not only difficult, it is often counterproductive.
> > If a Web service depends on information in a header
> > there is probably something wrong.

What about the URI?
What about the method (GET, POST, DELETE...)?

Only protecting the body only works for RPC-style web services in which every request is a POST to a single API endpoint (eg POST /api/ HTTP/1.1). Even then the body needs to have an "audience" field that is likely to repeat the host (or URI).

HTTP/2 needs to support REST APIs, where the method and URI are crucial parts.

> > From these I draw the following conclusions:
> >
> > * HTTP 2.0 should draw a distinction between routing headers and
> >   content meta-data

Though I suspect there are lots of headers where this distinction is not crystal clear.

> > * HTTP encryption and authentication are necessary independent of TLS
> >   support

James Manger

Received on Thursday, 26 July 2012 00:05:29 UTC