Collaborate Disseminate
I’m trying to create a mobile app which helps to connect with my mobile app. While going through authentication I used JWT. While authenticating it, it returns access token and refresh token to the client but if both of them are sniffed so… Continue reading How to send JWT Access token with requests without being sniffed?
The password of the user shall be used for client side encryption. A PBKDF and salt shall be used to derive a key from the user password.
Do I need to store this salt on the server and deliver it to each new client/device the user authenti… Continue reading When using a user password for client side encryption, do I have to store the salt for the user encryption key on the server?
I’ve never seen any example of this and I’m just curious why? Why is it not okay just to pass it through HTTPs + encoded in a JWT? I will not be storing the password anywhere on the client side, I will just be reading it once. I’m pretty s… Continue reading Passing password back from server to client?
I’m trying to determine if a client side app, that runs in the browser has any real danger from being vulnerable to a known ReDOS issue.
My understanding of ReDOS is that inefficiencies or known short comings in regular expression computat… Continue reading What is the risk of a known ReDOS Vulnerability in a client side (Browser) app
the problem:
Having URL parameters in a web page URL address to add functionality to a website (authenticate/authorize showing stuff in the UI, being used in further http requests on load, etc.) can pose a security risk because when an end… Continue reading window.history.pushState as a solution to document.referer
The title may be a bit misleading so I will try to make this as clear as possible. We have several microservices that
expose endpoints and they communicate to each other. They needed to authenticate each other so we used mTLS (Two way TLS)… Continue reading Authenticating/ identifying dynamic UI Client to Back-End [duplicate]
I’m in process of updating the client to support TLS 1.3. When trying to connect to TLS 1.3 server, client is reporting "Internal error". Wireshark traces showing that server responded with Verify Certificate, Finished message. B… Continue reading TLS 1.3 handshake Failure – Client reports "Header Too Long" [migrated]
I know that u2f keys are designed as authentication factors, but I think it would not be far fetched to also add a protocol that the user can use to encrypt or decrypt data on the client-side. This would relieve the user from remembering a… Continue reading Is there hardware (like u2f-keys) for passwordless client-side encryption & decryption
I am developing a web application that is integrating with a third-party that does not have OAuth capability, but instead use a variety of account IDs and keys to generate tokens for API calls.
On the Front End, we have created a text fiel… Continue reading Upload Private Key into Web App
Hi I need to secure the communications between my frontend and backend, to put you in context my front resides in a PHP server owned by DonDominio (hosting web) and my backend in an instance in AWS.
My public web domain is .app so I’m forc… Continue reading Not self-signed certificate and not AWS private certificate authority, any guess?