Collaborate Disseminate
I’ve recently had a conversation with a colleague (in a new job for me) around access to client’s servers which are deployed in their premises.
They have said that allowing ssh access to those servers is something that any CISO would run f… Continue reading Leaving SSH access to deployed on prem server — why is this bad?
As the title says, I want to create a RESTful API (stateless) that will access Google API endpoints. First I want to authenticate the user and then use that token provided by Google to access Google Calendar API.
This is the current flow o… Continue reading RESTful API with Google API and OAuth2
Our consulting company has received a VAPT from a consulting company on behalf of a financial customer.
The application has an HR/group management module.
Normally employees are created by an asynchronous process, but in case this fails th… Continue reading Information leakage from a API 404 response
Let say you have a REST API, which you want to use as the backend for React application. The application supports user login. You use JWT authorization to make that REST API stateless. Now the problem I have with that is that the JWT expir… Continue reading REST API authorization
I am evaluating JWT as authentication mechanism for an API. The idea is to use JWT as API key.
One thing I want to implement is revoking API keys. Since revoking involves a state change in my backend, I am losing the main advantage of JWT,… Continue reading Authentication using JWT signature, without header and payload
I have a question regarding request limits for a REST service endpoint.
I think of course the most basic identification used to limit requests is by taking the user’s IP address, but what if we have customers in an office using the same IP… Continue reading Limit REST API calls by fingerprinting and IP
I may be wrong, but for security reasons, in REST APIs the login credentials are always sent with the content type application/x-www-form-urlencoded. But I haven’t seen the same with user registration; the data is normally sent as JSON. Wh… Continue reading Why "application/x-www-form-urlencoded" is normally used for login but not for registration?
I have a use case where I am looking to authenticate my request with two endpoints that accept two different auth tokens.
My endpoint looks like this (I am using Azure traffic manager profile)
Endpoint:
-> Endpoint1 (80% traffic)
-> … Continue reading Multiple bearer tokens with POST request? [closed]
I have a use case where I am looking to authenticate my request with two endpoints that accept two different auth tokens.
My endpoint looks like this (I am using Azure traffic manager profile)
Endpoint:
-> Endpoint1 (80% traffic)
-> … Continue reading Multiple bearer tokens with POST request? [closed]
Problem
We have 100+ servers that we are looking to manage through a REST API.
The REST API for each of these servers will only ever be consumed from our Centralised Management Server (CMS). Therefore, the API will only be open to the CMS … Continue reading Securing many infrastructure servers sitting behind a centralised web server