coolaj86
/
walnut.js
1
1
Fork 1
Code Issues Pull Requests Releases Activity

Update API.md

This commit is contained in:
AJ ONeal 2017-08-02 16:29:21 -06:00
parent 2cace0b3ad
commit ae1f47df38
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
API.md
View File

@ -62,11 +62,17 @@ Walnut will reject requests to all domains and subdomains except those that begi
* secured by disallowing cookies * secured by disallowing cookies
* secured by disallowing non-JSON form types * secured by disallowing non-JSON form types
* secured by requiring authentication in header * secured by requiring authentication in header
* `assets` is for large files and other blobs and must use JWT in Cookies for authentication * `assets` is for protected access to large files and other blobs and must use JWT in Cookies for authentication
* warning: allows implicit authorization via cookies for hotlinking and the like * warning: allows implicit authorization via cookies for hotlinking and the like
* secured by not exposing tokens when users copy-paste * secured by not exposing tokens when users copy-paste
* `webhooks` is for 3rd-party API hooks and APIs with special requirements outside of the normal security model * `webhooks` is for 3rd-party API hooks and APIs with special requirements outside of the normal security model
* warning: these are insecure and should be used with caution, prudence, and wisdom * warning: these are insecure and should be used with caution, prudence, and wisdom
* JWT via query parameter * JWT via query parameter
* urlencoded forms * urlencoded forms
* XML forms * XML forms
Bare and www domains are DISALLOWED from being served by Walnut.
This enables scalability of static sites as the static assets
are never on the same domain as generic APIs or authenticated assets.
It also enforces security by disallowing 1990s web vulnerabilities by default.