From 679866bc9577a1ca98e0c5cb9b62f9260a391b4f Mon Sep 17 00:00:00 2001
From: aniewielska <aniewielska@ebi.ac.uk>
Date: Tue, 24 Nov 2020 16:27:05 +0000
Subject: [PATCH] Add security related topics to spec

---
 openapi/task_execution_service.openapi.yaml | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/openapi/task_execution_service.openapi.yaml b/openapi/task_execution_service.openapi.yaml
index e937a6b..b288ec7 100644
--- a/openapi/task_execution_service.openapi.yaml
+++ b/openapi/task_execution_service.openapi.yaml
@@ -40,7 +40,25 @@ info:
 
     The TES API specification is written in OpenAPI and embodies a RESTful service
     philosophy. It uses JSON in requests and responses and standard
-    HTTP/HTTPS for information transport.
+    HTTP/HTTPS for information transport. HTTPS should be used rather than plain HTTP
+    except for testing or internal-only purposes.
+
+    ### Authentication and Authorization
+
+    Is is envisaged that most TES API instances will require users to authenticate to use the endpoints.
+    However, the decision if authentication is required should be taken by TES API implementers.
+
+
+    If authentication is required, we recommend that TES implementations use an OAuth2  bearer token, although they can choose other mechanisms if appropriate.
+
+
+    Checking that a user is authorized to submit TES requests is a responsibility of TES implementations.
+
+    ### CORS
+
+    If TES API implementation is to be used by another website or domain it must implement Cross Origin Resource Sharing (CORS).
+    Please refer to https://w3id.org/ga4gh/product-approval-support/cors for more information about GA4GH’s recommendations and how to implement CORS.
+
 
 servers:
 - url: /ga4gh/tes/v1