# Security Checklist This checklist defines requirements that Skjalaveita web services need to fulfill before a connection to the Ísland.is Pósthólf can take place. The purpose of this checklist is to prevent possible security issues when web services are implemented. ## Transport layer All communication is encoded using HTTPS (TLS 1.2+). Web servers certificate is issued by a trusted certificate authority (not self signed). * [ ] Communication is encoded on a server that supports TLS 1.2+. * [ ] Certificates are issued by a trusted certificate authority. ## Authorization The web service is implemented with OAuth 2.0, where an access token is verified against the authentication server's signed credentials. The web service also validates a scope and the token's expiration date. The web service is not accessible by any other means. * [ ] The web service is only accessible with OAuth 2.0. * [ ] The web service validates that the access token is signed by the authorization service. * [ ] Authorization is only given when the correct scope is in the access token. * [ ] An expired access token is rejected when used. ## Tokens The Skjalaveita production environment only trusts tokens that are issued by the Ísland.is production authentication server. The Ísland.is test environment uses a different authentication server and is never be trusted in production. * [ ] The production environment only trust the Ísland.is production authentication server. ## Access restriction The web service's network layer is closed and only accessible by the IP addresses that the Ísland.is Pósthólf uses to query the service. * [ ] The web service is only accessible by IP addresses that the Ísland.is Pósthólf uses. ## Form validation An input hsa to be sanitized to avoid possible injections, the correct format is also ensured. * [ ] The web service returns an error if the input is empty (i.e the nationalId or documentId is empty). * [ ] The web service returns an error if the nationalId is incorrectly formatted. * [ ] The web service returns an error if the documentId is not in the correct format. The format is determined by the Skjalaveita. * [ ] The web service is protected against injections. ## Data input validation When the Ísland.is Pósthólf retrieves a document from a Skjalaveita, it sends a nationalId and documentId pair. The Skjalaveita validates that the document is owned by the given nationalId. The document is not returned solely based on the documentId. * [ ] The web service validates the nationalId and documentId pair with the document before it is returned. ## Logging The web service logs all requests. The log contains the nationalId, documentId and when the document was requested. * [ ] Requests are logged.