Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Keep Your API Secure
Search
Андрей Листочкин (Andrey Listochkin)
November 29, 2014
Programming
1
77
Keep Your API Secure
Kiyv JS November 2014
Андрей Листочкин (Andrey Listochkin)
November 29, 2014
Tweet
Share
More Decks by Андрей Листочкин (Andrey Listochkin)
See All by Андрей Листочкин (Andrey Listochkin)
Everybody Stand Back! I Know Regular Expressions
listochkin
0
100
Command-line scripting with Rust. Wait, what?!
listochkin
0
220
Server Memory - BuildStuff Ukraine 2019
listochkin
0
23
Server Memory - Chernivtsi JS 2019
listochkin
1
82
10 Years Later
listochkin
0
320
Managing Managers - DevTalks iHUB
listochkin
0
34
Time, Numbers, Text
listochkin
1
460
Software Licensing: A Minefield Guide
listochkin
0
110
We Make Bots. For Real
listochkin
0
340
Other Decks in Programming
See All in Programming
Let's learn code review
riofujimon
2
380
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
380
見た目から始める生産性向上
ikumatadokoro
7
850
スキーマ駆動開発による品質とスピードの両立 - 私達は何故、スキーマを書くのか
kentaroutakeda
0
170
SwiftUIで使いやすいToastの作り方 / How to build a Toast system which is easy to use in SwiftUI
lovee
3
150
Rethinking UI building strategies @ SFI 2024
letelete
0
270
Snowflakeで眠ったデータを起こそう!
estie
0
120
単体テストを書かない技術 #phpcon_odawara
o0h
PRO
27
8.3k
dbtのドメイン分割による データ基盤の改善とDigdagとの連携
sakama
0
350
サイコロで理解する統計的仮説検定の考え方
tatamiya
4
940
Goのmultiple errorsについて (2024年4月版)
syumai
4
900
if constexpr文はテンプレート世界のラムダ式である
faithandbrave
3
650
Featured
See All Featured
Six Lessons from altMBA
skipperchong
21
3k
RailsConf 2023
tenderlove
4
540
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
[RailsConf 2023] Rails as a piece of cake
palkan
23
4k
Git: the NoSQL Database
bkeepers
PRO
422
63k
Code Review Best Practice
trishagee
55
15k
Building Applications with DynamoDB
mza
88
5.6k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
Practical Orchestrator
shlominoach
182
9.7k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
187
16k
Build your cross-platform service in a week with App Engine
jlugia
225
17k
Transcript
Keep Your API Secure
None
OSWAP
XSS
SQL Injection
Plugins
Today
Crossite
CSRF
HTTP
Cookies
Secure HttpOnly
Set-Cookie: name=value; domain=.whatever.com; path=/; expires=Tue, 28-Nov-2034 21: 05:44 GMT; secure;
HttpOnly
Cookie: name=value
sessionId=a4d543bc809
Session Management
In Memory
External
None
Client Based
WAT??? нужна картинка
Encrypt
salt
salt+encData
salt+encData
Sign
(salt+encData)+signature
(salt+encData+createdAt+lifetime Duration)+signature
2 keys: encryption key signing key
{user info} => encrypt => sign => cookie
cookie => check signature => decrypt => {User Info}
Too complicated?
But ready-made!
by Mozilla
mozilla/node-client-sessions
Browser sends cookies automatically
CSRF
Roll-your-own-Cookie
Client: custom header / payload Server: middleware
Tokens
JSON Web Token
{user data} => encrypt => sign => token => memory,
localStorage
jsonwebtoken express-jwt
Securing WebSockets
HTTP Upgrade Request 101
Only implicit Auth Cookie or Basic Auth
HTTP: get WS token WS: send token to validate user
Fin
Frontend UA
Frontend UA Angular UA Ember UA Node UA Mobile Frontend
...
None
Gitter
NodeSchool Node Forward Angular UI RobotsConf lxjs
dev-ua
None
https://tinyurl.com/welcome-to-dev-ua frontendua.im angular.im