Hi,
Do we have guidance on to configure strong SSL Cipher configuration with TLS 1.2 for Apigee OPDK.
Also session Fixation with respect to OWASP for apigee.
Reviewed Top 10 OWASP doc from apigee did not cover above information.
Let me know, if missing anything.
Solved! Go to Solution.
Not exactly sure what you mean by "strong SSL Cipher" but the article Empirical Analysis of Valid Values for VirtualHost ssl_ciphers for Testing TLS 1.2 identifies valid SSL cipher values to configure Virtual Hosts to use TLS 1.2.
As for "session fixation" A2:2017 - Broken Authentication and Session Management addresses this, it's not really an Apigee product issue, more of an implementation flaw in applications.
Hope that helps!
May be follow Financial-grade API standards & restrict as per https://openid.net/specs/openid-financial-api-part-2-wd-06.html#tls-considerations
Again speak to your security team for any further guidance. This cipher restrictions can be applied on virtual host -https://docs.apigee.com/how-to-guides/configuring-cipher-suites-on-virtual-host-routers
Not exactly sure what you mean by "strong SSL Cipher" but the article Empirical Analysis of Valid Values for VirtualHost ssl_ciphers for Testing TLS 1.2 identifies valid SSL cipher values to configure Virtual Hosts to use TLS 1.2.
As for "session fixation" A2:2017 - Broken Authentication and Session Management addresses this, it's not really an Apigee product issue, more of an implementation flaw in applications.
Hope that helps!
May be follow Financial-grade API standards & restrict as per https://openid.net/specs/openid-financial-api-part-2-wd-06.html#tls-considerations
Again speak to your security team for any further guidance. This cipher restrictions can be applied on virtual host -https://docs.apigee.com/how-to-guides/configuring-cipher-suites-on-virtual-host-routers