Skip to content

Commit 17cc08c

Browse files
richsalzmartinthomson
richsalz
and
martinthomson
authored
Apply suggestions from code review
 Typo fixes from Martin. Co-authored-by: Martin Thomson <[email protected]>
1 parent 92a04ef commit 17cc08c

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

draft-ietf-httpapi-privacy.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,7 @@ relies on the client to implement persistent storage of the HSTS directive.
120120

121121
Used together, however, both approaches make clients less likely to send any
122122
requests over an insecure channel.
123-
HTTP API servers with authenticated endpoints SHOULD
123+
HTTP API servers with authenticated endpoints SHOULD
124124
employ both mechanisms.
125125

126126
## Connection Blocking
@@ -168,7 +168,7 @@ requests received over an insecure channel, regardless of the validity of the
168168
presented credentials.
169169

170170
Because a difference in behavior would enable attackers to guess and check
171-
possible credentials, an HTTP API server MUST NOT return a different client
171+
possible credentials, an HTTP API server MUST NOT return a different client
172172
response
173173
between a valid or invalid credential presented over an insecure connection.
174174
Differences in behavior MUST only be visible on subsequent use of the credential
@@ -198,7 +198,7 @@ recommendations above.
198198
## Implement Relevant Protocols
199199

200200
Clients SHOULD support and query for HTTPS records {{!RFC9460}} when
201-
establishing a connection. This gives HTTP API servers an opportunit
201+
establishing a connection. This gives HTTP API servers an opportunity
202202
to provide more
203203
complete information about capabilities, some of which are security-relevant.
204204

@@ -229,7 +229,7 @@ This entire document is about security of HTTP API interactions.
229229
The behavior recommended in {{credential-revocation}} creates the potential for
230230
a denial of service attack where an attacker guesses many possible credentials
231231
over an unencrypted connection in hopes of discovering and revoking a valid one.
232-
HTTP API ervers implementing this mitigation MUST also guard against such attacks, such
232+
HTTP API servers implementing this mitigation MUST also guard against such attacks, such
233233
as by limiting the number of requests before closing the connection and
234234
rate-limiting the establishment of insecure connections.
235235

0 commit comments

Comments
 (0)