5.1 Security Considerations for Implementers

When using this protocol over an untrusted network, an HTTPS (as described in [RFC2818]) connection can help mitigate risks of protocol messages being intercepted or tampered with.

The information contained in the presentation identified by the pid query string parameter is likely to be security sensitive. For example, it could contain confidential data such as financial records. Therefore it is recommended that the protocol server establish that the protocol client has permissions to access the presentation.

There are no restrictions on the protocol server regarding the message header content type, as described in [RFC2616] section 14.17. Therefore, it is recommended that the protocol client checks the Content-Type to avoid running any executable file that could pose a security risk.