# Security Checklist This checklist defines requirements that Skjalaveita web services need to fulfill before a connection to the Ísland.is Pósthólf can take place. The purpose of this checklist is to prevent possible security issues when web services are implemented. ## Transport layer All communication is encoded using HTTPS (TLS 1.2+). Web servers certificate is issued by a trusted certificate authority (not self signed). * [ ] Communication is encoded on a server that supports TLS 1.2+. * [ ] Certificates are issued by a trusted certificate authority. ## Authorization The web service is implemented with OAuth 2.0, where an access token is verified against the authentication server's signed credentials. The web service also validates a scope and the token's expiration date. The web service is not accessible by any other means. * [ ] The web service is only accessible with OAuth 2.0. * [ ] The web service validates that the access token is signed by the authorization service. * [ ] Authorization is only given when the correct scope is in the access token. * [ ] An expired access token is rejected when used. ## Tokens The Skjalaveita production environment only trusts tokens that are issued by the Ísland.is production authentication server. The Ísland.is test environment uses a different authentication server and is never be trusted in production. * [ ] The production environment only trust the Ísland.is production authentication server. ## Access restriction The web service's network layer is closed and only accessible by the IP addresses that the Ísland.is Pósthólf uses to query the service. * [ ] The web service is only accessible by IP addresses that the Ísland.is Pósthólf uses. ## Form validation An input hsa to be sanitized to avoid possible injections, the correct format is also ensured. * [ ] The web service returns an error if the input is empty (i.e the nationalId or documentId is empty). * [ ] The web service returns an error if the nationalId is incorrectly formatted. * [ ] The web service returns an error if the documentId is not in the correct format. The format is determined by the Skjalaveita. * [ ] The web service is protected against injections. ## Data input validation When the Ísland.is Pósthólf retrieves a document from a Skjalaveita, it sends a nationalId and documentId pair. The Skjalaveita validates that the document is owned by the given nationalId. The document is not returned solely based on the documentId. * [ ] The web service validates the nationalId and documentId pair with the document before it is returned. ## Logging The web service logs all requests. The log contains the nationalId, documentId and when the document was requested. * [ ] Requests are logged. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.devland.is/products/postholf/postholf-00-security-checklist.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.