Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Keep Your API Secure
Search
Андрей Листочкин (Andrey Listochkin)
November 29, 2014
Programming
1
81
Keep Your API Secure
Kiyv JS November 2014
Андрей Листочкин (Andrey Listochkin)
November 29, 2014
Tweet
Share
More Decks by Андрей Листочкин (Andrey Listochkin)
See All by Андрей Листочкин (Andrey Listochkin)
Everybody Stand Back! I Know Regular Expressions
listochkin
0
130
Command-line scripting with Rust. Wait, what?!
listochkin
0
280
Server Memory - BuildStuff Ukraine 2019
listochkin
0
26
Server Memory - Chernivtsi JS 2019
listochkin
1
110
10 Years Later
listochkin
0
330
Managing Managers - DevTalks iHUB
listochkin
0
38
Time, Numbers, Text
listochkin
1
540
Software Licensing: A Minefield Guide
listochkin
0
120
We Make Bots. For Real
listochkin
0
370
Other Decks in Programming
See All in Programming
シェーダーで魅せるMapLibreの動的ラスタータイル
satoshi7190
1
480
Creating a Free Video Ad Network on the Edge
mizoguchicoji
0
120
Arm移行タイムアタック
qnighy
0
320
どうして僕の作ったクラスが手続き型と言われなきゃいけないんですか
akikogoto
1
120
イベント駆動で成長して委員会
happymana
1
320
初めてDefinitelyTypedにPRを出した話
syumai
0
410
Quine, Polyglot, 良いコード
qnighy
4
640
Why Jakarta EE Matters to Spring - and Vice Versa
ivargrimstad
0
1.1k
みんなでプロポーザルを書いてみた
yuriko1211
0
260
Enabling DevOps and Team Topologies Through Architecture: Architecting for Fast Flow
cer
PRO
0
330
Jakarta EE meets AI
ivargrimstad
0
160
Ethereum_.pdf
nekomatu
0
460
Featured
See All Featured
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
A better future with KSS
kneath
238
17k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Producing Creativity
orderedlist
PRO
341
39k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
Building a Scalable Design System with Sketch
lauravandoore
459
33k
The World Runs on Bad Software
bkeepers
PRO
65
11k
For a Future-Friendly Web
brad_frost
175
9.4k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
A Philosophy of Restraint
colly
203
16k
Transcript
Keep Your API Secure
None
OSWAP
XSS
SQL Injection
Plugins
Today
Crossite
CSRF
HTTP
Cookies
Secure HttpOnly
Set-Cookie: name=value; domain=.whatever.com; path=/; expires=Tue, 28-Nov-2034 21: 05:44 GMT; secure;
HttpOnly
Cookie: name=value
sessionId=a4d543bc809
Session Management
In Memory
External
None
Client Based
WAT??? нужна картинка
Encrypt
salt
salt+encData
salt+encData
Sign
(salt+encData)+signature
(salt+encData+createdAt+lifetime Duration)+signature
2 keys: encryption key signing key
{user info} => encrypt => sign => cookie
cookie => check signature => decrypt => {User Info}
Too complicated?
But ready-made!
by Mozilla
mozilla/node-client-sessions
Browser sends cookies automatically
CSRF
Roll-your-own-Cookie
Client: custom header / payload Server: middleware
Tokens
JSON Web Token
{user data} => encrypt => sign => token => memory,
localStorage
jsonwebtoken express-jwt
Securing WebSockets
HTTP Upgrade Request 101
Only implicit Auth Cookie or Basic Auth
HTTP: get WS token WS: send token to validate user
Fin
Frontend UA
Frontend UA Angular UA Ember UA Node UA Mobile Frontend
...
None
Gitter
NodeSchool Node Forward Angular UI RobotsConf lxjs
dev-ua
None
https://tinyurl.com/welcome-to-dev-ua frontendua.im angular.im