Update API.md
This commit is contained in:
parent
2cace0b3ad
commit
ae1f47df38
8
API.md
8
API.md
|
@ -62,7 +62,7 @@ Walnut will reject requests to all domains and subdomains except those that begi
|
|||
* secured by disallowing cookies
|
||||
* secured by disallowing non-JSON form types
|
||||
* secured by requiring authentication in header
|
||||
* `assets` is for large files and other blobs and must use JWT in Cookies for authentication
|
||||
* `assets` is for protected access to large files and other blobs and must use JWT in Cookies for authentication
|
||||
* warning: allows implicit authorization via cookies for hotlinking and the like
|
||||
* secured by not exposing tokens when users copy-paste
|
||||
* `webhooks` is for 3rd-party API hooks and APIs with special requirements outside of the normal security model
|
||||
|
@ -70,3 +70,9 @@ Walnut will reject requests to all domains and subdomains except those that begi
|
|||
* JWT via query parameter
|
||||
* urlencoded forms
|
||||
* XML forms
|
||||
|
||||
Bare and www domains are DISALLOWED from being served by Walnut.
|
||||
|
||||
This enables scalability of static sites as the static assets
|
||||
are never on the same domain as generic APIs or authenticated assets.
|
||||
It also enforces security by disallowing 1990s web vulnerabilities by default.
|
Loading…
Reference in New Issue