Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Keep Your API Secure
Search
Андрей Листочкин (Andrey Listochkin)
November 29, 2014
Programming
1
82
Keep Your API Secure
Kiyv JS November 2014
Андрей Листочкин (Andrey Listochkin)
November 29, 2014
Tweet
Share
More Decks by Андрей Листочкин (Andrey Listochkin)
See All by Андрей Листочкин (Andrey Listochkin)
Everybody Stand Back! I Know Regular Expressions
listochkin
0
170
Command-line scripting with Rust. Wait, what?!
listochkin
0
350
Server Memory - BuildStuff Ukraine 2019
listochkin
0
39
Server Memory - Chernivtsi JS 2019
listochkin
1
150
10 Years Later
listochkin
0
360
Managing Managers - DevTalks iHUB
listochkin
0
54
Time, Numbers, Text
listochkin
1
580
Software Licensing: A Minefield Guide
listochkin
0
140
We Make Bots. For Real
listochkin
0
420
Other Decks in Programming
See All in Programming
GraphRAGの仕組みまるわかり
tosuri13
8
530
XP, Testing and ninja testing
m_seki
3
240
なぜ「共通化」を考え、失敗を繰り返すのか
rinchoku
1
640
PicoRuby on Rails
makicamel
2
130
ペアプロ × 生成AI 現場での実践と課題について / generative-ai-in-pair-programming
codmoninc
1
15k
20250628_非エンジニアがバイブコーディングしてみた
ponponmikankan
0
670
『自分のデータだけ見せたい!』を叶える──Laravel × Casbin で複雑権限をスッキリ解きほぐす 25 分
akitotsukahara
2
620
Railsアプリケーションと パフォーマンスチューニング ー 秒間5万リクエストの モバイルオーダーシステムを支える事例 ー Rubyセミナー 大阪
falcon8823
5
1.1k
10 Costly Database Performance Mistakes (And How To Fix Them)
andyatkinson
0
220
設計やレビューに悩んでいるPHPerに贈る、クリーンなオブジェクト設計の指針たち
panda_program
6
1.9k
Porting a visionOS App to Android XR
akkeylab
0
410
Azure AI Foundryではじめてのマルチエージェントワークフロー
seosoft
0
160
Featured
See All Featured
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
229
22k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
35
2.4k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
810
How to Think Like a Performance Engineer
csswizardry
24
1.7k
Site-Speed That Sticks
csswizardry
10
680
How to train your dragon (web standard)
notwaldorf
94
6.1k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
281
13k
Thoughts on Productivity
jonyablonski
69
4.7k
Build your cross-platform service in a week with App Engine
jlugia
231
18k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.3k
Into the Great Unknown - MozCon
thekraken
39
1.9k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Transcript
Keep Your API Secure
None
OSWAP
XSS
SQL Injection
Plugins
Today
Crossite
CSRF
HTTP
Cookies
Secure HttpOnly
Set-Cookie: name=value; domain=.whatever.com; path=/; expires=Tue, 28-Nov-2034 21: 05:44 GMT; secure;
HttpOnly
Cookie: name=value
sessionId=a4d543bc809
Session Management
In Memory
External
None
Client Based
WAT??? нужна картинка
Encrypt
salt
salt+encData
salt+encData
Sign
(salt+encData)+signature
(salt+encData+createdAt+lifetime Duration)+signature
2 keys: encryption key signing key
{user info} => encrypt => sign => cookie
cookie => check signature => decrypt => {User Info}
Too complicated?
But ready-made!
by Mozilla
mozilla/node-client-sessions
Browser sends cookies automatically
CSRF
Roll-your-own-Cookie
Client: custom header / payload Server: middleware
Tokens
JSON Web Token
{user data} => encrypt => sign => token => memory,
localStorage
jsonwebtoken express-jwt
Securing WebSockets
HTTP Upgrade Request 101
Only implicit Auth Cookie or Basic Auth
HTTP: get WS token WS: send token to validate user
Fin
Frontend UA
Frontend UA Angular UA Ember UA Node UA Mobile Frontend
...
None
Gitter
NodeSchool Node Forward Angular UI RobotsConf lxjs
dev-ua
None
https://tinyurl.com/welcome-to-dev-ua frontendua.im angular.im