Collaborate Disseminate
Due to several customer reasons our product needs to support Basic Auth as primary authentication mechanism with client’s service account.
We are using Bcrypt to store customer’s password in our DB, however Bcrypt (combined with Basic Auth… Continue reading Best secure approach with Basic Auth
I have came across a REST API for some commercial software, that checks authentication by requiring HMAC on concatenation of
http_method (GET, PUT, etc)
timestamp
payload (body of a POST / PUT request if any)
path (everything between http… Continue reading REST API is protected by HMAC based authentication. What does including URL path in the message protect from?
Reading around I gather that for a Restful API since you don’t use cookies,then you send the token in the Auth header.Correct so far?
When on a traditional MVC app ,do you send the token inside a httponly cookie? Does then the server have … Continue reading JWT token. Send in a cookie or Auth header depending on Rest vs MVC?
I don’t like my server having access to plaintext passwords. Instead of SRP, OPAQUE or another PAKE that needs several rounds, I was thinking I could take the username, server url and password, run a hardened hash like scrypt and generate … Continue reading Replace hashed password by public key generated from password
This doing a Spring Boot application (Rest API, JPA, etc) uses (via Rest) from a website (Angular) and a mobile app (Android).
The user using the mobile app (in the future) will be able to authenticate via Facebook, Google, etc, and store … Continue reading Authentication for website and mobile app
I’m working on an Android application with few millions of users. The app has some financial|payment features. We have some public APIs and some authenticated ones (OAuth2). As a part of enhancing our security, we are currently using "… Continue reading Reject requests from our tampered android apps
My web application is a long sequence of games, which submit progress results back to the server via a web API. These progress messages are how we know how many points the user has earned. The points are used to show rankings and status an… Continue reading How can I prevent API bot automation by a legitimate user?
We are using an application that exposes several REST endpoints. The service offers a very simple but insecure authentication using plain text HTTP headers. The network that this service will be sitting in already has it’s own centralized … Continue reading Securing a third party REST service
I created a large backend+frontend project for a client. They recently started a different project, and contracted an other company to develop and host it. Since they need some of the data from my project, they asked me to develop an api, … Continue reading How could a server to server rest api communication be more secure, by using OAuth 2?
I have been working on a front end (React) app that sends REST requests to an API end point. I am aware that sensitive items such as API keys should not be stored in front end frameworks (like React, for example),
BUT…
Right now, I am j… Continue reading API key safety in front end app running in localhost