From f3d56b3c080b5987aaaa2cabee7f168f5155c6e3 Mon Sep 17 00:00:00 2001 From: bishnubista Date: Wed, 29 Apr 2026 18:13:42 -0700 Subject: [PATCH] fix(SAFE-T1408): neutralize orphan SAFE-M-101..106 / 201..203 references MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The 100-series and 200-series numbering schemes do not exist in the canonical mitigations/ directory — every authored mitigation is in the SAFE-M-1..72 range. The references in techniques/SAFE-T1408/README.md appear to be a parallel local numbering scheme that was never promoted to canonical files (likely an aspirational scheme or copy-paste from an external doc). This commit drops the broken inline ID claims and preserves each mitigation's descriptive title and body text, marked as "(canonical mitigation pending)" to signal future canonical authoring: Preventive Controls (M-101..106): Disable Implicit Flow Enforce PKCE Client Registration Hardening HTTP Message Signatures Audience and Scope Restriction Secure Token Storage Detective Controls (M-201..203): Log Monitoring Token Exposure Alerts Replay Detection Note: some of these may correspond to existing canonical mitigations (e.g., "Enforce PKCE" overlaps with SAFE-M-38 PKCE Enforcement; "Log Monitoring" overlaps with SAFE-M-12 Audit Logging). Re-linking those is intentionally deferred to a follow-up so this PR remains a narrow cleanup with no taxonomy decisions. Closes 9 of the 32 remaining dangling SAFE-M-NN references identified by corpus audit. The remaining 23 are ID collisions across multiple techniques and will be addressed in separate scoped PRs. Signed-off-by: bishnubista --- techniques/SAFE-T1408/README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/techniques/SAFE-T1408/README.md b/techniques/SAFE-T1408/README.md index af5fc7eb..6c2df27a 100644 --- a/techniques/SAFE-T1408/README.md +++ b/techniques/SAFE-T1408/README.md @@ -151,17 +151,17 @@ tags: ## Mitigation Strategies ### Preventive Controls -1. **SAFE-M-101: Disable Implicit Flow**: Configure authorization server to reject `response_type=token`. -2. **SAFE-M-102: Enforce PKCE**: Require PKCE for all public clients. -3. **SAFE-M-103: Client Registration Hardening**: Allow only authorization code flow with PKCE. -4. **SAFE-M-104: HTTP Message Signatures**: Use RFC 9421 to sign requests, preventing parameter tampering and downgrade attempts. -5. **SAFE-M-105: Audience and Scope Restriction**: Bind tokens to specific resources and minimize privileges. -6. **SAFE-M-106: Secure Token Storage**: Ensure tokens are never stored in URLs, logs, or insecure browser storage. +1. **Disable Implicit Flow** *(canonical mitigation pending)*: Configure authorization server to reject `response_type=token`. +2. **Enforce PKCE** *(canonical mitigation pending)*: Require PKCE for all public clients. +3. **Client Registration Hardening** *(canonical mitigation pending)*: Allow only authorization code flow with PKCE. +4. **HTTP Message Signatures** *(canonical mitigation pending)*: Use RFC 9421 to sign requests, preventing parameter tampering and downgrade attempts. +5. **Audience and Scope Restriction** *(canonical mitigation pending)*: Bind tokens to specific resources and minimize privileges. +6. **Secure Token Storage** *(canonical mitigation pending)*: Ensure tokens are never stored in URLs, logs, or insecure browser storage. ### Detective Controls -1. **SAFE-M-201: Log Monitoring**: Detect requests with implicit flow parameters. -2. **SAFE-M-202: Token Exposure Alerts**: Alert when tokens appear in URL fragments. -3. **SAFE-M-203: Replay Detection**: Monitor for repeated use of the same token across multiple MCP servers. +1. **Log Monitoring** *(canonical mitigation pending)*: Detect requests with implicit flow parameters. +2. **Token Exposure Alerts** *(canonical mitigation pending)*: Alert when tokens appear in URL fragments. +3. **Replay Detection** *(canonical mitigation pending)*: Monitor for repeated use of the same token across multiple MCP servers. ### Response Procedures 1. **Immediate Actions**: