Principle of minimality (web applications)
The principle of minimality is a way of specifying or shortening information in web applications in such a way that it is difficult or impossible to access for a potential attacker or " hacker " in order to limit the vulnerability due to security gaps .
Starting points
As a rule, it is advisable to provide only the information that is necessary for the application or the user. Information going beyond this could provide unnecessary starting points for compromising the web application. The information content of demo applications that are publicly accessible must be assessed from a security perspective and, if possible, restricted. Under no circumstances should demo applications be made available as instances of the productive application. Detailed explanations are only to be given to the user who is logged on to the application. Help pages that contain information about the connections between protected applications must also only be accessible in the protected area.
Examples
Wrong: "Please enter your username and 6-digit PIN"
Correct: "Please enter your user ID and PIN."
Incorrect: "The password you entered is incorrect" if the user ID is correct and the password is incorrect.
Correct: "Login not possible. User ID or password incorrect. "
Incorrect: "The user does not exist" if the user ID does not exist.
Correct: "Login not possible. User ID or password incorrect. "
Incorrect: Entry on the help page: "Enter your customer number here. You will find the customer number at the top left of every invoice. It is the 5-digit sequence of numbers that begins with a K. ”
Correct: renouncing the exact information on formats, lengths, data types and information from which outsiders can also obtain information on how to obtain them. Instead, "... in the form we told you in our cover letter."
literature
- Mario Heiderich, Christian Matthies, Johannes Dahse: Secure web applications . 1st edition. Galileo Press, Bonn 2009, ISBN 978-3-8362-1194-9 .