Collaborate Disseminate
Our consulting company has received a VAPT from a consulting company on behalf of a financial customer.
The application has an HR/group management module.
Normally employees are created by an asynchronous process, but in case this fails th… Continue reading Information leakage from a API 404 response
Let say you have a REST API, which you want to use as the backend for React application. The application supports user login. You use JWT authorization to make that REST API stateless. Now the problem I have with that is that the JWT expir… Continue reading REST API authorization
I am evaluating JWT as authentication mechanism for an API. The idea is to use JWT as API key.
One thing I want to implement is revoking API keys. Since revoking involves a state change in my backend, I am losing the main advantage of JWT,… Continue reading Authentication using JWT signature, without header and payload
I have a question regarding request limits for a REST service endpoint.
I think of course the most basic identification used to limit requests is by taking the user’s IP address, but what if we have customers in an office using the same IP… Continue reading Limit REST API calls by fingerprinting and IP
I may be wrong, but for security reasons, in REST APIs the login credentials are always sent with the content type application/x-www-form-urlencoded. But I haven’t seen the same with user registration; the data is normally sent as JSON. Wh… Continue reading Why "application/x-www-form-urlencoded" is normally used for login but not for registration?
I have a use case where I am looking to authenticate my request with two endpoints that accept two different auth tokens.
My endpoint looks like this (I am using Azure traffic manager profile)
Endpoint:
-> Endpoint1 (80% traffic)
-> … Continue reading Multiple bearer tokens with POST request? [closed]
I have a use case where I am looking to authenticate my request with two endpoints that accept two different auth tokens.
My endpoint looks like this (I am using Azure traffic manager profile)
Endpoint:
-> Endpoint1 (80% traffic)
-> … Continue reading Multiple bearer tokens with POST request? [closed]
Problem
We have 100+ servers that we are looking to manage through a REST API.
The REST API for each of these servers will only ever be consumed from our Centralised Management Server (CMS). Therefore, the API will only be open to the CMS … Continue reading Securing many infrastructure servers sitting behind a centralised web server
I know that breeding your own security is bad practice, however I couldn’t find anything about this on the internet.
So I basically want to add an authentication mechanism where the client proves that they own a private key.
Suppose the fo… Continue reading Authentication in RESTful APIs using proof of private key
If I wanted to open these methods in my REST APIs securely, how can I do that? What validations should I apply?
Continue reading How to open PUT or DELETE methods securely?