Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep Your API Secure

Андрей Листочкин (Andrey Listochkin)
November 29, 2014
Programming
1
77

Keep Your API Secure

Kiyv JS November 2014

Андрей Листочкин (Andrey Listochkin)

November 29, 2014
Tweet

More Decks by Андрей Листочкин (Andrey Listochkin)

See All by Андрей Листочкин (Andrey Listochkin)
Everybody Stand Back! I Know Regular Expressions
listochkin
0
100
Command-line scripting with Rust. Wait, what?!
listochkin
0
220
Server Memory - BuildStuff Ukraine 2019
listochkin
0
23
Server Memory - Chernivtsi JS 2019
listochkin
1
82
10 Years Later
listochkin
0
320
Managing Managers - DevTalks iHUB
listochkin
0
34
Time, Numbers, Text
listochkin
1
460
Software Licensing: A Minefield Guide
listochkin
0
110
We Make Bots. For Real
listochkin
0
340

Other Decks in Programming

See All in Programming
Let's learn code review
riofujimon
2
380
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
380
見た目から始める生産性向上
ikumatadokoro
7
850
スキーマ駆動開発による品質とスピードの両立 - 私達は何故、スキーマを書くのか
kentaroutakeda
0
170
SwiftUIで使いやすいToastの作り方 / How to build a Toast system which is easy to use in SwiftUI
lovee
3
150
Rethinking UI building strategies @ SFI 2024
letelete
0
270
Snowflakeで眠ったデータを起こそう!
estie
0
120
単体テストを書かない技術 #phpcon_odawara
o0h
PRO
27
8.3k
dbtのドメイン分割による データ基盤の改善とDigdagとの連携
sakama
0
350
サイコロで理解する統計的仮説検定の考え方
tatamiya
4
940
Goのmultiple errorsについて (2024年4月版)
syumai
4
900
if constexpr文はテンプレート世界のラムダ式である
faithandbrave
3
650

Featured

See All Featured
Six Lessons from altMBA
skipperchong
21
3k
RailsConf 2023
tenderlove
4
540
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
[RailsConf 2023] Rails as a piece of cake
palkan
23
4k
Git: the NoSQL Database
bkeepers
PRO
422
63k
Code Review Best Practice
trishagee
55
15k
Building Applications with DynamoDB
mza
88
5.6k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
Practical Orchestrator
shlominoach
182
9.7k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
187
16k
Build your cross-platform service in a week with App Engine
jlugia
225
17k

Transcript

  1. Keep Your API Secure

  2. None

  3. OSWAP

  4. XSS

  5. SQL Injection

  6. Plugins

  7. Today

  8. Crossite

  9. CSRF

  10. HTTP

  11. Cookies

  12. Secure HttpOnly

  13. Set-Cookie: name=value; domain=.whatever.com; path=/; expires=Tue, 28-Nov-2034 21: 05:44 GMT; secure;

    HttpOnly

  14. Cookie: name=value

  15. sessionId=a4d543bc809

  16. Session Management

  17. In Memory

  18. External

  19. None

  20. Client Based

  21. WAT??? нужна картинка

  22. Encrypt

  23. salt

  24. salt+encData

  25. salt+encData

  26. Sign

  27. (salt+encData)+signature

  28. (salt+encData+createdAt+lifetime Duration)+signature

  29. 2 keys: encryption key signing key

  30. {user info} => encrypt => sign => cookie

  31. cookie => check signature => decrypt => {User Info}

  32. Too complicated?

  33. But ready-made!

  34. by Mozilla

  35. mozilla/node-client-sessions

  36. Browser sends cookies automatically

  37. CSRF

  38. Roll-your-own-Cookie

  39. Client: custom header / payload Server: middleware

  40. Tokens

  41. JSON Web Token

  42. {user data} => encrypt => sign => token => memory,

    localStorage

  43. jsonwebtoken express-jwt

  44. Securing WebSockets

  45. HTTP Upgrade Request 101

  46. Only implicit Auth Cookie or Basic Auth

  47. HTTP: get WS token WS: send token to validate user

  48. Fin

  49. Frontend UA

  50. Frontend UA Angular UA Ember UA Node UA Mobile Frontend

    ...
  51. None

  52. Gitter

  53. NodeSchool Node Forward Angular UI RobotsConf lxjs

  54. dev-ua

  55. None

  56. https://tinyurl.com/welcome-to-dev-ua frontendua.im angular.im