From 253055014113efdcbea7be04008c59f1393f163f Mon Sep 17 00:00:00 2001
From: "Jeoffrey Fischer [SSW]"
 <106663901+jeoffreyfischer@users.noreply.github.com>
Date: Wed, 30 Oct 2024 09:45:01 +1100
Subject: [PATCH] Edited security comment - Luke review

---
 rules/key-principles-of-rest-api-design/rule.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/key-principles-of-rest-api-design/rule.md b/rules/key-principles-of-rest-api-design/rule.md
index 7876d5d534..87685d363f 100644
--- a/rules/key-principles-of-rest-api-design/rule.md
+++ b/rules/key-principles-of-rest-api-design/rule.md
@@ -72,9 +72,9 @@ Consistent sorting parameters allow developers to retrieve and organize data eff
 
 ## Tip \#6 - Security should not be an afterthought
 
-Security is paramount in API design. Pass sensitive information, like access tokens, securely via headers (e.g., `Authorization: Bearer {token}`).  
+Security is paramount when building REST APIs. Most REST APIs are hosted online, and you don't want to rely on "security via obscurity". Ensure you spend time hardening your surface area.  
 
-Common security headers should also be considered:  
+Common sense approaches include protecting your endpoints via short-lived access tokens (even for seemingly benign functionality), as well as your typical security headers such as:  
 
 * Content-Security-Policy (CSP)  
 * Strict-Transport-Security (HSTS)