Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Properly Securing Node.js APIs
Search
Chathu Vishwajith
September 22, 2018
Programming
0
53
Properly Securing Node.js APIs
Properly securing Node.js APIs at WebWeekend Kathmandu #WWKTM .
Chathu Vishwajith
September 22, 2018
Tweet
Share
More Decks by Chathu Vishwajith
See All by Chathu Vishwajith
Lerna and Monorepo architecture for JavaScript
iamchathu
0
32
Hardening WordPress is kind of Art
iamchathu
0
110
It's Someone Else's Servers
iamchathu
0
38
Hardening WordPress is An Art
iamchathu
0
100
Speed Up Your WordPess
iamchathu
0
100
CMBJS Meetup: Securing NodeJS APIs with JWT
iamchathu
0
84
Other Decks in Programming
See All in Programming
エンターテイメント業界で利用されるAWS
demuyan
0
210
二郎系ラーメンのコールで学ぶ AST 解析
memory1994
PRO
7
1.7k
MetricKitで予期せぬ終了を検知する話 / Detect unexpected termination with MetricKit
nekowen
0
180
From Spring Boot 2 to Spring Boot 3 with Java 22 and Jakarta EE
ivargrimstad
0
1.1k
単体テストを書かない技術 #phpcon_odawara
o0h
PRO
26
8.1k
PostmanでAPIの動作確認が楽になった話
h455h1
0
160
冗長なエラーログを削減し、スタックトレースを手に入れる / Reducing Verbose Error Logs and Obtaining Stack Traces
upamune
0
110
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
42
18k
Micro Frontends for Java Microservices - Devnexus 2024
mraible
PRO
0
470
Semantic search with Django and pgvector
pauloxnet
0
240
Site Reliability Engineering for GMO
pyama86
7
1k
"config" ってなんだ? / What is "config"?
okashoi
0
230
Featured
See All Featured
Building Effective Engineering Teams - LeadDev
addyosmani
27
1.8k
Code Reviewing Like a Champion
maltzj
513
39k
Making Projects Easy
brettharned
108
5.5k
Mobile First: as difficult as doing things right
swwweet
216
8.6k
Automating Front-end Workflow
addyosmani
1355
200k
Art, The Web, and Tiny UX
lynnandtonic
288
19k
The Brand Is Dead. Long Live the Brand.
mthomps
48
28k
Scaling GitHub
holman
457
140k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
186
16k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
13
1.5k
Fantastic passwords and where to find them - at NoRuKo
philnash
36
2.5k
How to train your dragon (web standard)
notwaldorf
72
5.1k
Transcript
WebWeekend Kathmandu
Perfectly Securing Node.js APIs
Who am I Chathu Vishwajith Auth0 Ambassador Co-Founder of a
startup From Sri Lanka !
?
Cookie vs Tokens
Cookie vs Tokens
Cookie Tokens Statefull Stateless Performance Decoupled
Advantages of JWT → Stateless → Scalable → Decoupled
Advantages of JWT (Cont) → Cross-Domain → CORS
Use cases JWT (Cont) → Back-end APIs → Serverless Applications
→ IOT Devices → Mobile Applications
Things to Remember → JWTs are encoded not encrypted! →
This does not mean they can modify it though, even the slightest change will invalidate the token → Do not store sensitive information within a JWT. → Solution: JSON Web Encryption allows you to safely encrypt the claims of a token
JWT Token Structure header.payload.signature
Header Type of token and hashing algorithm → HMAC →
ECDSA → RSA
Payload Your Token Payload
Signature Verification of Token
Libraries Almost all languages has JWT implementation.
How to use JWT
Install JWT Library For Node.js and Express.js
Create JWT
Verify JWT
Organizing code → Module based approach. → Configuration in files.
→ Auto load models and routes. → Keep your secret secret.
Config file Keep all changing config strings in one place.
.env file we use dotenv to load .env file.
Shall we move to code work though?
Summery → Some APIs needs to secure → Cookie vs
Tokens → JWT is Stateless, Scalable, Decoupled → How to use JWT with Node.js
Code repository https://github.com/iamchathu/nodejs-api-starter
More Reading https://chathu.me/2017/08/28/jwt-introduction/
None
Thank you !