- From: Asbjørn Ulsberg <asbjorn@ulsberg.no>
- Date: Wed, 15 Jan 2025 10:52:06 +0100
- To: Owen Rubel <orubel@gmail.com>
- Cc: Rahul Gupta <cxres@protonmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, "media-types@ietf.org" <media-types@ietf.org>
On 15 Jan 2025, at 03:20, Owen Rubel <orubel@gmail.com> wrote: > so basically what I am saying is that since you hardcode the links for HATEOAS, they violate security like RBAC which defines what ROLES can access which endpoints. If you consider the existence and visibility of a particular link in a response message a security risk (although that sounds a bit like security by obscurity to me), or performance overhead, then just exclude the link from the response. The response can be tailored to each authorised client based on RBAC, ABAC and any other configuration the origin server may consider applicable to the given request. -- Asbjørn Ulsberg. -=|=- asbjorn@ulsberg.no «He's a loathsome offensive brute, yet I can't look away»
Received on Wednesday, 15 January 2025 09:52:22 UTC