Collaborate Disseminate
We have a B2B Rest API with Client Certificate authentication.
Are there any reasons to add also a payload signature check to this API?
I’m seeing many service providers which add a digital signature payload parameter on the… Continue reading Are there any reasons to add payload signature to a rest API with mutual TLS?
Note: This question is not the same as the linked possible duplicate. That question asks how checking the origin/referer header protects against CSRF. This questions is asking how to implement the specific details.
I see a l… Continue reading CSRF Origin and Referer Header just check host?
This question is related to an earlier questions: 1 & 2 about the limitations in web application vulnerability scoring/automated vulnerability scoring. Indeed, scoring vulnerabilities detected in web and REST-based applic… Continue reading Machine Learning based application vulnerability scoring
Many API’s (services) today use OAuth, HTTP Basic Authentication or API keys to authenticate their users.
My goal is to find a simplistic secure way to authenticate users in a client-side webapplication in a stateless way fo… Continue reading A simplistic stateless alternative to HTTP basic auth for API’s
Is it safe to use the following stateless authorization mechanism between a client (iOS & Android) and server?
Sign up
The client provides an email and password and saves the clear password on the Keychain of iOS and u… Continue reading Is it safe to use a stateless authorization mechanism where the clear password is stored on the keychain?
I am planning to use AES CBC PKCS5PADDING with a passphrase to encrypt my REST API traffic to POST/GET over HTTPS from an Android application. the scope is to protect user data from MITM attacks and also if an attacker knows … Continue reading Using AES CBC PKCS5PADDING for REST API?
I’m developing a mobile app for iOS and Android that has, due to specs that are given by management, some security flaws. However, I can’t quite explain in concrete business speak why the specs are not secure, and thus I can’… Continue reading How is this registration setup vulnerable?
I’m trying to build an iOS app, I have wrote the code and all, and now I am implementing the APIs to communicate with the database.
The app will be using HTTPS and POST Requests to communicate with the API.
Users Passwords… Continue reading Securing mobile app API Using UDID and Argon2
First of all I want to mention, that I absolutely do NOT want to implement my own crypto in any way. I was just thinking about this topic and after some research I was not finding a good solution.
I hope, that there is a kn… Continue reading Authenticate against third party with OTP
I am developing an application where I provide a JavaScript to my clients (stored on my CDN), and they can load it to their web pages via a script tag. This JavaScript does some checks on the DOM and sends the information to … Continue reading Security on a REST Api used from a JS