Collaborate Disseminate
Which Cryptographic Message Standards are recommended to ensure cryptographic agility in the future and good adapotion trough different programming languages (.NET and Go)?
(PublicKey with authenticated symetric encryption)
I doesn’t want … Continue reading Whch Cryptographic Standard ensures cryptographic agility and good adapotion
I am currently using JWT implementation for the authentication part of my APIs.
A private key is used to sign the token generated and used to make sure it’s not tampered with when it’s used later for other API.
My question is – What is the… Continue reading What is the impact of an exposed secret key for a JWT token implementation?
I am building a web app, which is made of a Node.js Backend and Angular (NOT AngularJS!!! I only used the tag, because Angular was not available..) Frontend.
How do I properly secure this app? I already have an idea to use JWT tokens (I al… Continue reading How to properly invalidate JWT tokens and sessions in this use case?
Tutorials I’ve come across about implementing magic link authentication (in Node) recommend a mechanism like this:
the user hits your endpoint with their email address
you generate a signed JWT from the email and the date using a constant… Continue reading Magic links: JWT vs random string
I understand that XSS attacks can access all globals (like cookies, storage, etc) within the context of the running javascript code, but I would like to understand if they could also have access to any in memory variables as well?
For exam… Continue reading What parts of the javascript code can an XSS attack access?
As a service provider, I allow logged in users to upload documents to a web server, and upload it to S3. The logged in user should subsequently be able to view his own documents, and I want to serve it directly from S3, with some token-ba… Continue reading Making S3 objects viewable only for logged in users
I’m in the process of developing a B2B (business-to-business) application. I’ve implemented JWT auth, and it is working as expected. Right now the authentication functions as if it were a B2C (business-to-customer) app.
I’m trying to deter… Continue reading B2B authentication best practices
I’m currently implementing a REST Api for a Single Page Application and Mobile App. Any 3rd party login or grant access to them is not required.
I’ve microservices behind a gateway (all HTTPS).
My current design is as follows:
POST usernam… Continue reading Sessions With JWT
I’m working with a client that, in order to use their OAuth 2.0 web API, requires me to provide them with a JSON Web Key (JWK) that contains an embedded X.509 certificate. Then, when I’m requesting information from the API, they say I nee… Continue reading JWK with X.509 Certificate – is self signed okay?
Context: I’m looking at storage solutions for JWT tokens on a single page application.
Storing the JWT in the local storage is unsafe and prone to XSS attacks.
Storing the JWT in a secure / HTTP only cookie is safer, but prone to CSRF att… Continue reading Split a JWT between payload and signature