Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep Your API Secure

Avatar for Андрей Листочкин (Andrey Listochkin) Андрей Листочкин (Andrey Listochkin)
November 29, 2014
Programming
88
1

Keep Your API Secure

Kiyv JS November 2014

Avatar for Андрей Листочкин (Andrey Listochkin)

Андрей Листочкин (Andrey Listochkin)

November 29, 2014

More Decks by Андрей Листочкин (Andrey Listochkin)

See All by Андрей Листочкин (Andrey Listochkin)
Everybody Stand Back! I Know Regular Expressions
Avatar for Андрей Листочкин (Andrey Listochkin) listochkin
0
210
Command-line scripting with Rust. Wait, what?!
Avatar for Андрей Листочкин (Andrey Listochkin) listochkin
0
420
Server Memory - BuildStuff Ukraine 2019
Avatar for Андрей Листочкин (Andrey Listochkin) listochkin
0
68
Server Memory - Chernivtsi JS 2019
Avatar for Андрей Листочкин (Andrey Listochkin) listochkin
1
160
10 Years Later
Avatar for Андрей Листочкин (Andrey Listochkin) listochkin
0
390
Managing Managers - DevTalks iHUB
Avatar for Андрей Листочкин (Andrey Listochkin) listochkin
0
81
Time, Numbers, Text
Avatar for Андрей Листочкин (Andrey Listochkin) listochkin
1
650
Software Licensing: A Minefield Guide
Avatar for Андрей Листочкин (Andrey Listochkin) listochkin
0
180
We Make Bots. For Real
Avatar for Андрей Листочкин (Andrey Listochkin) listochkin
0
460

Other Decks in Programming

See All in Programming
Symfony AI in Action - SymfonyLive Berlin 2026
Avatar for Christopher Hertel chr_hertel
1
160
iOS26時代の新規アプリ開発
Avatar for 野瀬田 裕樹 yuukiw00w
0
130
Migrations : C'est une question d'hygiène !
Avatar for Vincent Amstoutz vinceamstoutz
0
620
新規プロダクトを高速で生み出すハーネスエンジニアリング
Avatar for Ryohei Ikegami seanchas116
3
180
AgentCore Optimizationを始めよう!
Avatar for matsukada licux
3
250
[BalkanRuby 2026] Drop your app/services!
Avatar for Vladimir Dementyev palkan
3
510
The Past, Present, and Future of Enterprise Java
Avatar for ivargrimstad ivargrimstad
0
400
Structured Concurrency, Scoped Values and Joiners in the JDK 25 26 27
Avatar for José josepaumard
1
150
要はバランスからの卒業 #yumemi_grow
Avatar for Takuma Kajikawa kajitack
0
170
Are We Really Coding 10× Faster with AI?
Avatar for Koichi Yoshida kohzas
0
190
PHPでバイナリをパースして理解するASN.1
Avatar for muno92 muno92
PRO
0
460
書籍「ユーザーストーリーマッピング」が私のバイブル
Avatar for asumikam asumikam
4
490

Featured

See All Featured
Digital Ethics as a Driver of Design Innovation
Avatar for Per Axbom axbom
PRO
1
290
Primal Persuasion: How to Engage the Brain for Learning That Lasts
Avatar for Mike Taylor tmiket
0
340
The Limits of Empathy - UXLibs8
Avatar for Cassini Nazir cassininazir
1
330
Lightning talk: Run Django tests with GitHub Actions
Avatar for Sarah Abderemane sabderemane
0
180
Mozcon NYC 2025: Stop Losing SEO Traffic
Avatar for Sam Torres samtorres
0
230
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
12
1.6k
From Legacy to Launchpad: Building Startup-Ready Communities
Avatar for Dug Song dugsong
0
210
The Hidden Cost of Media on the Web [PixelPalooza 2025]
Avatar for Tammy Everts tammyeverts
2
300
Leveraging Curiosity to Care for An Aging Population
Avatar for Cassini Nazir cassininazir
1
240
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
Avatar for MADOX madoxten
62
54k
Exploring the relationship between traditional SERPs and Gen AI search
Avatar for Ray Grieselhuber raygrieselhuber
PRO
2
4k
New Earth Scene 8
Avatar for Sydney Stone popppiees
3
2.2k

Transcript

  1. Keep Your API Secure

  2. None

  3. OSWAP

  4. XSS

  5. SQL Injection

  6. Plugins

  7. Today

  8. Crossite

  9. CSRF

  10. HTTP

  11. Cookies

  12. Secure HttpOnly

  13. Set-Cookie: name=value; domain=.whatever.com; path=/; expires=Tue, 28-Nov-2034 21: 05:44 GMT; secure;

    HttpOnly

  14. Cookie: name=value

  15. sessionId=a4d543bc809

  16. Session Management

  17. In Memory

  18. External

  19. None

  20. Client Based

  21. WAT??? нужна картинка

  22. Encrypt

  23. salt

  24. salt+encData

  25. salt+encData

  26. Sign

  27. (salt+encData)+signature

  28. (salt+encData+createdAt+lifetime Duration)+signature

  29. 2 keys: encryption key signing key

  30. {user info} => encrypt => sign => cookie

  31. cookie => check signature => decrypt => {User Info}

  32. Too complicated?

  33. But ready-made!

  34. by Mozilla

  35. mozilla/node-client-sessions

  36. Browser sends cookies automatically

  37. CSRF

  38. Roll-your-own-Cookie

  39. Client: custom header / payload Server: middleware

  40. Tokens

  41. JSON Web Token

  42. {user data} => encrypt => sign => token => memory,

    localStorage

  43. jsonwebtoken express-jwt

  44. Securing WebSockets

  45. HTTP Upgrade Request 101

  46. Only implicit Auth Cookie or Basic Auth

  47. HTTP: get WS token WS: send token to validate user

  48. Fin

  49. Frontend UA

  50. Frontend UA Angular UA Ember UA Node UA Mobile Frontend

    ...
  51. None

  52. Gitter

  53. NodeSchool Node Forward Angular UI RobotsConf lxjs

  54. dev-ua

  55. None

  56. https://tinyurl.com/welcome-to-dev-ua frontendua.im angular.im