Update API.md

This commit is contained in:
AJ ONeal 2017-08-02 16:29:21 -06:00
parent 2cace0b3ad
commit ae1f47df38
1 changed files with 8 additions and 2 deletions

8
API.md
View File

@ -62,7 +62,7 @@ Walnut will reject requests to all domains and subdomains except those that begi
* secured by disallowing cookies * secured by disallowing cookies
* secured by disallowing non-JSON form types * secured by disallowing non-JSON form types
* secured by requiring authentication in header * secured by requiring authentication in header
* `assets` is for large files and other blobs and must use JWT in Cookies for authentication * `assets` is for protected access to large files and other blobs and must use JWT in Cookies for authentication
* warning: allows implicit authorization via cookies for hotlinking and the like * warning: allows implicit authorization via cookies for hotlinking and the like
* secured by not exposing tokens when users copy-paste * secured by not exposing tokens when users copy-paste
* `webhooks` is for 3rd-party API hooks and APIs with special requirements outside of the normal security model * `webhooks` is for 3rd-party API hooks and APIs with special requirements outside of the normal security model
@ -70,3 +70,9 @@ Walnut will reject requests to all domains and subdomains except those that begi
* JWT via query parameter * JWT via query parameter
* urlencoded forms * urlencoded forms
* XML forms * XML forms
Bare and www domains are DISALLOWED from being served by Walnut.
This enables scalability of static sites as the static assets
are never on the same domain as generic APIs or authenticated assets.
It also enforces security by disallowing 1990s web vulnerabilities by default.