Security Checklist

This checklist defines requirements that Skjalaveita web services need to fulfill before a connection to the Í Pósthólf can take place. The purpose of this checklist is to prevent possible security issues when web services are implemented.

Transport layer

All communication is encoded using HTTPS (TLS 1.2+). Web servers certificate is issued by a trusted certificate authority (not self signed).


The web service is implemented with OAuth 2.0, where an access token is verified against the authentication server's signed credentials. The web service also validates a scope and the token's expiration date. The web service is not accessible by any other means.


The Skjalaveita production environment only trusts tokens that are issued by the Í production authentication server. The Í test environment uses a different authentication server and is never be trusted in production.

Access restriction

The web service's network layer is closed and only accessible by the IP addresses that the Í Pósthólf uses to query the service.

Form validation

An input hsa to be sanitized to avoid possible injections, the correct format is also ensured.

Data input validation

When the Í Pósthólf retrieves a document from a Skjalaveita, it sends a nationalId and documentId pair. The Skjalaveita validates that the document is owned by the given nationalId. The document is not returned solely based on the documentId.


The web service logs all requests. The log contains the nationalId, documentId and when the document was requested.

Last updated