Collaborate Disseminate
Are there any security risks to returning a user’s JWT in the response body to a GET request? The JWT is only returned for authenticated users. Authentication is managed via a JWT stored as a HttpOnly, Secure, SameSite:Lax cookie.
Flow, in… Continue reading Security risks to returning JWT token in the response body to a GET request?
My question is : Is this approach correct given I have a non-Oauth service? My goal is to use the simplest amount of security features while still being as strong as possible.
My approach is as follows and I am asking for feedback on wheth… Continue reading I have a non-Oauth service and am using this approach with Server initiated HttpOnly cookies with stripped JWT
We have a web service where GET is always safe and all unsafe POST requests use single-use CSRF tokens. We have some cases where cross-origin domain would need to pass us POST request with data that should be used with currently active use… Continue reading I have CSRF protection implemented server side, can I safely use `SameSite=None; Secure; HttpOnly`?
Conventional wisdom to prevent CSRF is to use CSRF tokens, but with the new cookie attributes and prefixes, do you even need to generate/save tokens at all?
I’ve had the thought that if I just set a cookie with a static value, I can simply… Continue reading Is a static SameSite cookie enough to protect against CSRF?
As I understand it, the SameSite attribute for cookies helps me advise standard browsers what they can do with them.
So if I’m a server running on http://acme.com/my-app and I’ve set a cookie like:
Set-Cookie: JSESSIONID=1234567890abcdef; … Continue reading Why does Chrome require Secure for SameSite=None cookies?
I have read Incrementally Better Cookies, a couple of web.dev articles and tried to google for "same-origin cookies" but could not find anything so I wonder if this is being worked on.
SameSite=Strict & Lax are a very good pr… Continue reading Would "same-origin cookies" make sense?
I have a mostly public API with some parts of it "credentialed" behind cookies, similarly to e.g. how WordPress’ REST API works. (In our case, it’s a GraphQL API but that shouldn’t matter.)
I want to enable CORS for it and am con… Continue reading Difference between `Access-Control-Allow-Origin: *` (wildcard) and specific origins
I have read that storing the jwt token within the httponly secure cookie is the recommended way to prevent both csrf attacks and xss attacks.
When a user goes to my website they may make an api call like so
POST mygatewayproxy.example/logi… Continue reading Setting httponly secure cookies in microservice architecture
I am working on securing a Blazor WASM site. So far I have a Auth API so that my multiple apps can use one auth service. I also have a Blazor WASM site. I am tying to mimic the Anti-Forgery Tokens that a Asp.Net site would have. Since my s… Continue reading Blazor WASM Anti-Forgery Token
If I use the same machine (my PC) but with a different IP address and a different browser that I have never used to visit a site, will that site still be able to identify me? I don’t understand the browser fingerprinting thing that well. T… Continue reading How do I assure that a site that I visit does not know I have been there before?