Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Keep Your API Secure
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Андрей Листочкин (Andrey Listochkin)
November 29, 2014
Programming
1
85
Keep Your API Secure
Kiyv JS November 2014
Андрей Листочкин (Andrey Listochkin)
November 29, 2014
Tweet
Share
More Decks by Андрей Листочкин (Andrey Listochkin)
See All by Андрей Листочкин (Andrey Listochkin)
Everybody Stand Back! I Know Regular Expressions
listochkin
0
200
Command-line scripting with Rust. Wait, what?!
listochkin
0
410
Server Memory - BuildStuff Ukraine 2019
listochkin
0
61
Server Memory - Chernivtsi JS 2019
listochkin
1
160
10 Years Later
listochkin
0
380
Managing Managers - DevTalks iHUB
listochkin
0
70
Time, Numbers, Text
listochkin
1
620
Software Licensing: A Minefield Guide
listochkin
0
170
We Make Bots. For Real
listochkin
0
440
Other Decks in Programming
See All in Programming
AI時代のキャリアプラン「技術の引力」からの脱出と「問い」へのいざない / tech-gravity
minodriven
20
6.9k
AIエージェントのキホンから学ぶ「エージェンティックコーディング」実践入門
masahiro_nishimi
5
330
20260127_試行錯誤の結晶を1冊に。著者が解説 先輩データサイエンティストからの指南書 / author's_commentary_ds_instructions_guide
nash_efp
0
930
15年続くIoTサービスの SREエンジニアが挑む 分散トレーシング導入
melonps
2
180
Apache Iceberg V3 and migration to V3
tomtanaka
0
150
Patterns of Patterns
denyspoltorak
0
1.4k
Fluid Templating in TYPO3 14
s2b
0
130
AIフル活用時代だからこそ学んでおきたい働き方の心得
shinoyu
0
130
「ブロックテーマでは再現できない」は本当か?
inc2734
0
750
AI時代の認知負荷との向き合い方
optfit
0
150
ThorVG Viewer In VS Code
nors
0
770
Spinner 軸ズレ現象を調べたらレンダリング深淵に飲まれた #レバテックMeetup
bengo4com
1
230
Featured
See All Featured
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
aleyda
0
1.9k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
Impact Scores and Hybrid Strategies: The future of link building
tamaranovitovic
0
200
Navigating the Design Leadership Dip - Product Design Week Design Leaders+ Conference 2024
apolaine
0
170
The Art of Programming - Codeland 2020
erikaheidi
57
14k
The AI Search Optimization Roadmap by Aleyda Solis
aleyda
1
5.2k
Amusing Abliteration
ianozsvald
0
96
Side Projects
sachag
455
43k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
1.8k
Large-scale JavaScript Application Architecture
addyosmani
515
110k
SEO Brein meetup: CTRL+C is not how to scale international SEO
lindahogenes
0
2.3k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
akashhashmi
0
270
Transcript
Keep Your API Secure
None
OSWAP
XSS
SQL Injection
Plugins
Today
Crossite
CSRF
HTTP
Cookies
Secure HttpOnly
Set-Cookie: name=value; domain=.whatever.com; path=/; expires=Tue, 28-Nov-2034 21: 05:44 GMT; secure;
HttpOnly
Cookie: name=value
sessionId=a4d543bc809
Session Management
In Memory
External
None
Client Based
WAT??? нужна картинка
Encrypt
salt
salt+encData
salt+encData
Sign
(salt+encData)+signature
(salt+encData+createdAt+lifetime Duration)+signature
2 keys: encryption key signing key
{user info} => encrypt => sign => cookie
cookie => check signature => decrypt => {User Info}
Too complicated?
But ready-made!
by Mozilla
mozilla/node-client-sessions
Browser sends cookies automatically
CSRF
Roll-your-own-Cookie
Client: custom header / payload Server: middleware
Tokens
JSON Web Token
{user data} => encrypt => sign => token => memory,
localStorage
jsonwebtoken express-jwt
Securing WebSockets
HTTP Upgrade Request 101
Only implicit Auth Cookie or Basic Auth
HTTP: get WS token WS: send token to validate user
Fin
Frontend UA
Frontend UA Angular UA Ember UA Node UA Mobile Frontend
...
None
Gitter
NodeSchool Node Forward Angular UI RobotsConf lxjs
dev-ua
None
https://tinyurl.com/welcome-to-dev-ua frontendua.im angular.im
listochkin
minodriven
masahiro_nishimi
nash_efp
melonps
tomtanaka
denyspoltorak
s2b
shinoyu
inc2734
optfit
nors
bengo4com
aleyda
cassininazir
tamaranovitovic
apolaine
erikaheidi
ianozsvald
sachag
reverentgeek
addyosmani
lindahogenes
akashhashmi
