Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Keep Your API Secure
Search
Андрей Листочкин (Andrey Listochkin)
November 29, 2014
Programming
1
82
Keep Your API Secure
Kiyv JS November 2014
Андрей Листочкин (Andrey Listochkin)
November 29, 2014
Tweet
Share
More Decks by Андрей Листочкин (Andrey Listochkin)
See All by Андрей Листочкин (Andrey Listochkin)
Everybody Stand Back! I Know Regular Expressions
listochkin
0
180
Command-line scripting with Rust. Wait, what?!
listochkin
0
360
Server Memory - BuildStuff Ukraine 2019
listochkin
0
45
Server Memory - Chernivtsi JS 2019
listochkin
1
150
10 Years Later
listochkin
0
370
Managing Managers - DevTalks iHUB
listochkin
0
61
Time, Numbers, Text
listochkin
1
600
Software Licensing: A Minefield Guide
listochkin
0
150
We Make Bots. For Real
listochkin
0
430
Other Decks in Programming
See All in Programming
🔨 小さなビルドシステムを作る
momeemt
2
590
The state patternの実践 個人開発で培ったpractice集
miyanokomiya
0
150
エンジニアのための”最低限いい感じ”デザイン入門
shunshobon
0
130
go test -json そして testing.T.Attr / Kyoto.go #63
utgwkk
1
120
AI OCR API on Lambdaを Datadogで可視化してみた
nealle
0
210
サーバーサイドのビルド時間87倍高速化
plaidtech
PRO
0
550
Langfuseと歩む生成AI活用推進
licux
3
310
為你自己學 Python - 冷知識篇
eddie
1
270
DockerからECSへ 〜 AWSの海に出る前に知っておきたいこと 〜
ota1022
5
1.8k
オープンセミナー2025 @広島 LT 技術ブログを続けるには
satoshi256kbyte
0
140
Claude Codeで実装以外の開発フロー、どこまで自動化できるか?失敗と成功
ndadayo
2
1.6k
コンテキストエンジニアリング Cursor編
kinopeee
1
720
Featured
See All Featured
StorybookのUI Testing Handbookを読んだ
zakiyama
30
6k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
46
7.6k
GraphQLとの向き合い方2022年版
quramy
49
14k
How to train your dragon (web standard)
notwaldorf
96
6.2k
Writing Fast Ruby
sferik
628
62k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1.1k
How to Ace a Technical Interview
jacobian
279
23k
Speed Design
sergeychernyshev
32
1.1k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.5k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Being A Developer After 40
akosma
90
590k
Transcript
Keep Your API Secure
None
OSWAP
XSS
SQL Injection
Plugins
Today
Crossite
CSRF
HTTP
Cookies
Secure HttpOnly
Set-Cookie: name=value; domain=.whatever.com; path=/; expires=Tue, 28-Nov-2034 21: 05:44 GMT; secure;
HttpOnly
Cookie: name=value
sessionId=a4d543bc809
Session Management
In Memory
External
None
Client Based
WAT??? нужна картинка
Encrypt
salt
salt+encData
salt+encData
Sign
(salt+encData)+signature
(salt+encData+createdAt+lifetime Duration)+signature
2 keys: encryption key signing key
{user info} => encrypt => sign => cookie
cookie => check signature => decrypt => {User Info}
Too complicated?
But ready-made!
by Mozilla
mozilla/node-client-sessions
Browser sends cookies automatically
CSRF
Roll-your-own-Cookie
Client: custom header / payload Server: middleware
Tokens
JSON Web Token
{user data} => encrypt => sign => token => memory,
localStorage
jsonwebtoken express-jwt
Securing WebSockets
HTTP Upgrade Request 101
Only implicit Auth Cookie or Basic Auth
HTTP: get WS token WS: send token to validate user
Fin
Frontend UA
Frontend UA Angular UA Ember UA Node UA Mobile Frontend
...
None
Gitter
NodeSchool Node Forward Angular UI RobotsConf lxjs
dev-ua
None
https://tinyurl.com/welcome-to-dev-ua frontendua.im angular.im
listochkin
momeemt
miyanokomiya
shunshobon
utgwkk
nealle
plaidtech
licux
eddie
ota1022
satoshi256kbyte
ndadayo
kinopeee
zakiyama
eileencodes
quramy
notwaldorf
sferik
marcelosomers
sergeychernyshev
jacobian
marktimemedia
sugarenia
akosma
