Page History

...

2) Responses should contain only the information requested; sensitive parameters such as passwords or keys must only be returned if they are explicitly requested and even then only for parameters which CloudStack has created.  CloudStack could return its users' secret keys, for example, but there is no reason that CloudStack should return Xen host passwords, S3 secret keys, etc.  The 4.x design includes the complete state of an object instance in the response for every API which manipulates the object.  Examples:  The removeNicFromVirtualMachine API returns the VM password in the response, the disableUser API returns the user's secret key in the response, the addS3 API returns the S3 secret key, and so on.

3) Guards need to be put into place to prevent XSS and other malicious payloads from making it into the database

naming

the naming of API calls and - parameters are not consistent leading to them not being as intuitive as could be to the application programmers leveraging them. This is a place holder to list such occasions so we can address them on going into 5.0. Please add to this list.

...