Use the following guidelines for protecting confidential files on operating systems and servers:

• Use operating system (or server) controls to enforce minimum access rights on any confidential files used by the application.

  - Restricting access reduces the risk of a rogue application or malicious user accessing the data.
  - For example, by using a file containing Personally Identifiable Information (PII) or directory listings.
  

• For confidential files passed to the program as input, enforce this by validating that the file has minimum access as expected before using the content.

• If the access is too wide, such as by allowing public read access, return an error to the user to correct the issue, or apply the correct access rights if the file is to be managed by the application.

• Store files obtained from untrusted sources outside the webroot, with limited permissions, and with strong validation.

Imported from SD Elements: https://redhat.sdelements.com/bunits/psse-secure-development/group-2-extended-functionality-offerings/openshift-source-to-image-s2i-builder-image/tasks/phase/requirements/106-T214/