Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Keep Your API Secure
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Андрей Листочкин (Andrey Listochkin)
November 29, 2014
Programming
1
85
Keep Your API Secure
Kiyv JS November 2014
Андрей Листочкин (Andrey Listochkin)
November 29, 2014
Tweet
Share
More Decks by Андрей Листочкин (Andrey Listochkin)
See All by Андрей Листочкин (Andrey Listochkin)
Everybody Stand Back! I Know Regular Expressions
listochkin
0
200
Command-line scripting with Rust. Wait, what?!
listochkin
0
410
Server Memory - BuildStuff Ukraine 2019
listochkin
0
61
Server Memory - Chernivtsi JS 2019
listochkin
1
160
10 Years Later
listochkin
0
380
Managing Managers - DevTalks iHUB
listochkin
0
70
Time, Numbers, Text
listochkin
1
620
Software Licensing: A Minefield Guide
listochkin
0
170
We Make Bots. For Real
listochkin
0
440
Other Decks in Programming
See All in Programming
16年目のピクシブ百科事典を支える最新の技術基盤 / The Modern Tech Stack Powering Pixiv Encyclopedia in its 16th Year
ahuglajbclajep
5
990
AI時代のキャリアプラン「技術の引力」からの脱出と「問い」へのいざない / tech-gravity
minodriven
20
6.9k
Amazon Bedrockを活用したRAGの品質管理パイプライン構築
tosuri13
4
250
AI & Enginnering
codelynx
0
110
IFSによる形状設計/デモシーンの魅力 @ 慶應大学SFC
gam0022
1
300
AIエージェントのキホンから学ぶ「エージェンティックコーディング」実践入門
masahiro_nishimi
4
330
CSC307 Lecture 05
javiergs
PRO
0
500
Package Management Learnings from Homebrew
mikemcquaid
0
210
Honoを使ったリモートMCPサーバでAIツールとの連携を加速させる!
tosuri13
1
170
OCaml 5でモダンな並列プログラミングを Enjoyしよう!
haochenx
0
140
責任感のあるCloudWatchアラームを設計しよう
akihisaikeda
3
160
インターン生でもAuth0で認証基盤刷新が出来るのか
taku271
0
190
Featured
See All Featured
Facilitating Awesome Meetings
lara
57
6.7k
How to build a perfect <img>
jonoalderson
1
4.9k
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
techseoconnect
PRO
0
83
Practical Orchestrator
shlominoach
191
11k
Crafting Experiences
bethany
1
46
Testing 201, or: Great Expectations
jmmastey
46
8k
The Cost Of JavaScript in 2023
addyosmani
55
9.5k
Technical Leadership for Architectural Decision Making
baasie
1
240
Building Adaptive Systems
keathley
44
2.9k
Color Theory Basics | Prateek | Gurzu
gurzu
0
190
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
2.1k
It's Worth the Effort
3n
188
29k
Transcript
Keep Your API Secure
None
OSWAP
XSS
SQL Injection
Plugins
Today
Crossite
CSRF
HTTP
Cookies
Secure HttpOnly
Set-Cookie: name=value; domain=.whatever.com; path=/; expires=Tue, 28-Nov-2034 21: 05:44 GMT; secure;
HttpOnly
Cookie: name=value
sessionId=a4d543bc809
Session Management
In Memory
External
None
Client Based
WAT??? нужна картинка
Encrypt
salt
salt+encData
salt+encData
Sign
(salt+encData)+signature
(salt+encData+createdAt+lifetime Duration)+signature
2 keys: encryption key signing key
{user info} => encrypt => sign => cookie
cookie => check signature => decrypt => {User Info}
Too complicated?
But ready-made!
by Mozilla
mozilla/node-client-sessions
Browser sends cookies automatically
CSRF
Roll-your-own-Cookie
Client: custom header / payload Server: middleware
Tokens
JSON Web Token
{user data} => encrypt => sign => token => memory,
localStorage
jsonwebtoken express-jwt
Securing WebSockets
HTTP Upgrade Request 101
Only implicit Auth Cookie or Basic Auth
HTTP: get WS token WS: send token to validate user
Fin
Frontend UA
Frontend UA Angular UA Ember UA Node UA Mobile Frontend
...
None
Gitter
NodeSchool Node Forward Angular UI RobotsConf lxjs
dev-ua
None
https://tinyurl.com/welcome-to-dev-ua frontendua.im angular.im