Collaborate Disseminate
OWASP states:
Non-public REST services must perform access control at each API
endpoint. Web services in monolithic applications implement this by
means of user authentication, authorisation logic and session
management. This has several … Continue reading Access Control for REST APIs – OWASP recommendation
I am comparing implementation complexity of JWS and Client Certificate and troubleshooting Client Certificate at the same time.
I understand that both methods require to prove that the certificate (x5c in JWS or the actual Client Certifica… Continue reading Verification of certificate trustworthiness (e.g. in JWS and Client Certificate)
Since most people seem to caution against storing JWT tokens in the localStorage and recommend keeping them in the HttpOnly cookies, in this case I don’t really see the advantage of using JWT auth. Why not just use Cookie auth to begin wit… Continue reading Using HMAC signed cookies instead of JWT for authentication
I have a an endpoint, it redirects to an image which is stored on a storage service, I am considering if it is safe to embed the JWT in the url endpoint as such https://host/image?token=. This is the same JWT token which the system uses to… Continue reading Security risk of embedding JWT in URL?
Say we have multiple instances of application X deployed on site1.com, site2.com, site3.com, etc. And we have a centralized server at example.com serving all of these.
All the instances of X are static sites, that is, they do not have a se… Continue reading Is it bad practice to use only one token for a SPA (no applications, only user)?
The W3C working group is working on the standardization of Decentralized Identifiers (DIDs). I watched a video presentation about DIDs and the presenter mentioned several times the possibility of generating unique pseudonymous identities f… Continue reading Use-case for decentralized identifiers (DIDs) with unique identities for each relationship
As per my understanding both JWT and Basic Auth used to store login credentials on client side and avoid sessions for better scalability. I understand with Basic Auth login credentials will be sent along with each request which is a secur… Continue reading What are the advantages of using JWT over Basic Auth with Https?
Reading around I gather that for a Restful API since you don’t use cookies,then you send the token in the Auth header.Correct so far?
When on a traditional MVC app ,do you send the token inside a httponly cookie? Does then the server have … Continue reading JWT token. Send in a cookie or Auth header depending on Rest vs MVC?
(I try to understand different concepts regarding web development in general)
Most information I find is about Single Page Applications, but how does a dynamic site make use of (for example) OAuth2/tokens? Maybe we want the pages to be ren… Continue reading How can OAuth2 (tokens) fit into dynamic sites that still wants to call protected API’s via JavaScript?
I’m building an app where the client will be issued a JWT. The JWT will be passed to my API for every request. I’m leaning in the direction of hosting my webserver and SQL server separately from each other using EC2 and RDS.
SECRET = bin2h… Continue reading JSON Web Token secret storage