Skip to main content

4.13. Coexisting with Web Browsing

4.13. Coexisting with Web Browsing

Even when an application is not intended to be used with a Web browser, its resources can be accessed by browsers either accidentally (e.g., through misconfiguration) or maliciously. Applications need to consider how they will behave in such situations.

For applications that are not intended to be used with browsers:

  • Applications SHOULD return an appropriate error message (e.g., 403 Forbidden or 404 Not Found) when accessed by a browser.

  • Applications SHOULD include security headers (such as Content-Security-Policy [CSP], X-Frame-Options, etc.) to limit what browsers can do if they do access the application.

  • Applications SHOULD be aware of browser-specific behavior, such as automatic following of redirects, executing JavaScript, and making prefetch requests.

For applications that are intended to support both API clients and Web browsers:

  • Applications SHOULD use content negotiation to provide appropriate representations for different clients.

  • Applications SHOULD ensure that browser-based access doesn't create security vulnerabilities (see Section 6).

  • Applications SHOULD consider using different URLs or subdomains for browser and non-browser access to allow for different security policies.

Applications SHOULD be aware of Cross-Origin Resource Sharing (CORS) [FETCH] and how it affects browser-based access to resources. CORS can be used to control which origins are allowed to access resources from a browser.

Last updated on