From ae1f47df38569af729e2e4d68efad4275f1feb6f Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Wed, 2 Aug 2017 16:29:21 -0600 Subject: [PATCH] Update API.md --- API.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/API.md b/API.md index 35295d2..1957597 100644 --- a/API.md +++ b/API.md @@ -62,11 +62,17 @@ Walnut will reject requests to all domains and subdomains except those that begi * secured by disallowing cookies * secured by disallowing non-JSON form types * secured by requiring authentication in header -* `assets` is for large files and other blobs and must use JWT in Cookies for authentication +* `assets` is for protected access to large files and other blobs and must use JWT in Cookies for authentication * warning: allows implicit authorization via cookies for hotlinking and the like * secured by not exposing tokens when users copy-paste * `webhooks` is for 3rd-party API hooks and APIs with special requirements outside of the normal security model * warning: these are insecure and should be used with caution, prudence, and wisdom * JWT via query parameter * urlencoded forms - * XML forms \ No newline at end of file + * XML forms + +Bare and www domains are DISALLOWED from being served by Walnut. + +This enables scalability of static sites as the static assets +are never on the same domain as generic APIs or authenticated assets. +It also enforces security by disallowing 1990s web vulnerabilities by default. \ No newline at end of file