Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep Your API Secure

Avatar for Андрей Листочкин (Andrey Listochkin) Андрей Листочкин (Andrey Listochkin)
November 29, 2014
Programming
1
87

Keep Your API Secure

Kiyv JS November 2014

Avatar for Андрей Листочкин (Andrey Listochkin)

Андрей Листочкин (Andrey Listochkin)

November 29, 2014
Tweet

More Decks by Андрей Листочкин (Andrey Listochkin)

See All by Андрей Листочкин (Andrey Listochkin)
Everybody Stand Back! I Know Regular Expressions
Avatar for Андрей Листочкин (Andrey Listochkin) listochkin
0
210
Command-line scripting with Rust. Wait, what?!
Avatar for Андрей Листочкин (Andrey Listochkin) listochkin
0
420
Server Memory - BuildStuff Ukraine 2019
Avatar for Андрей Листочкин (Andrey Listochkin) listochkin
0
64
Server Memory - Chernivtsi JS 2019
Avatar for Андрей Листочкин (Andrey Listochkin) listochkin
1
160
10 Years Later
Avatar for Андрей Листочкин (Andrey Listochkin) listochkin
0
390
Managing Managers - DevTalks iHUB
Avatar for Андрей Листочкин (Andrey Listochkin) listochkin
0
74
Time, Numbers, Text
Avatar for Андрей Листочкин (Andrey Listochkin) listochkin
1
620
Software Licensing: A Minefield Guide
Avatar for Андрей Листочкин (Andrey Listochkin) listochkin
0
170
We Make Bots. For Real
Avatar for Андрей Листочкин (Andrey Listochkin) listochkin
0
450

Other Decks in Programming

See All in Programming
エンジニアの「手元の自動化」を加速するn8n 2026.02.27
Avatar for 西尾義英 symy2co
0
160
ベクトル検索のフィルタを用いた機械学習モデルとの統合 / python-meetup-fukuoka-06-vector-attr
Avatar for monochromegane monochromegane
2
470
どんと来い、データベース信頼性エンジニアリング / Introduction to DBRE
Avatar for nnaka2992 nnaka2992
1
300
オブザーバビリティ駆動開発って実際どうなの?
Avatar for yohfee yohfee
4
870
GoのDB アクセスにおける 「型安全」と「柔軟性」の両立 - Bob という選択肢
Avatar for tak tak848
0
200
go directiveを最新にしすぎないで欲しい話──あるいは、Go 1.26からgo mod initで作られるgo directiveの値が変わる話 / Go 1.26 リリースパーティ
Avatar for Arthur arthur1
2
560
API Platformを活用したPHPによる本格的なWeb API開発 / api-platform-book-intro
Avatar for Takashi Kanemoto ttskch
1
140
AI 開発合宿を通して得た学び
Avatar for ニフティ株式会社 niftycorp
PRO
0
140
ふつうのRubyist、ちいさなデバイス、大きな一年 / Ordinary Rubyists, Tiny Devices, Big Year
Avatar for chobishiba chobishiba
1
470
Vuetify 3 → 4 何が変わった?差分と移行ポイント10分まとめ
Avatar for kouki.miura koukimiura
0
150
Claude Codeログ基盤の構築
Avatar for giginet giginet
PRO
7
3.4k
AWS×クラウドネイティブソフトウェア設計 / AWS x Cloud-Native Software Design
Avatar for nrs nrslib
16
3.2k

Featured

See All Featured
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
Avatar for Tomoya Matsuura tomoyanonymous
2
560
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
26
3.4k
svc-hook: hooking system calls on ARM64 by binary rewriting
Avatar for Akira Moroo retrage
2
170
How to Build an AI Search Optimization Roadmap - Criteria and Steps to Take #SEOIRL
Avatar for Aleyda Solis aleyda
1
2k
My Coaching Mixtape
Avatar for mlcsv mlcsv
0
76
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
Avatar for Tammy Everts tammyeverts
11
860
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
45
8.9k
4 Signs Your Business is Dying
Avatar for Josh Pigford shpigford
187
22k
Reality Check: Gamification 10 Years Later
Avatar for Sebastian Deterding codingconduct
0
2k
SEO Brein meetup: CTRL+C is not how to scale international SEO
Avatar for Linda Hogenes lindahogenes
1
2.4k
SEO in 2025: How to Prepare for the Future of Search
Avatar for Michael King ipullrank
3
3.4k
The Curse of the Amulet
Avatar for Matthew Lei leimatthew05
1
10k

Transcript

  1. Keep Your API Secure

  2. None

  3. OSWAP

  4. XSS

  5. SQL Injection

  6. Plugins

  7. Today

  8. Crossite

  9. CSRF

  10. HTTP

  11. Cookies

  12. Secure HttpOnly

  13. Set-Cookie: name=value; domain=.whatever.com; path=/; expires=Tue, 28-Nov-2034 21: 05:44 GMT; secure;

    HttpOnly

  14. Cookie: name=value

  15. sessionId=a4d543bc809

  16. Session Management

  17. In Memory

  18. External

  19. None

  20. Client Based

  21. WAT??? нужна картинка

  22. Encrypt

  23. salt

  24. salt+encData

  25. salt+encData

  26. Sign

  27. (salt+encData)+signature

  28. (salt+encData+createdAt+lifetime Duration)+signature

  29. 2 keys: encryption key signing key

  30. {user info} => encrypt => sign => cookie

  31. cookie => check signature => decrypt => {User Info}

  32. Too complicated?

  33. But ready-made!

  34. by Mozilla

  35. mozilla/node-client-sessions

  36. Browser sends cookies automatically

  37. CSRF

  38. Roll-your-own-Cookie

  39. Client: custom header / payload Server: middleware

  40. Tokens

  41. JSON Web Token

  42. {user data} => encrypt => sign => token => memory,

    localStorage

  43. jsonwebtoken express-jwt

  44. Securing WebSockets

  45. HTTP Upgrade Request 101

  46. Only implicit Auth Cookie or Basic Auth

  47. HTTP: get WS token WS: send token to validate user

  48. Fin

  49. Frontend UA

  50. Frontend UA Angular UA Ember UA Node UA Mobile Frontend

    ...
  51. None

  52. Gitter

  53. NodeSchool Node Forward Angular UI RobotsConf lxjs

  54. dev-ua

  55. None

  56. https://tinyurl.com/welcome-to-dev-ua frontendua.im angular.im