Collaborate Disseminate
I have a web app that is built using Vite for the react front-end part and uses .net API backend. The backend also configures a static file service for the prebuild frontend files but otherwise implements the API that the front-end is heav… Continue reading Content security policy for script-src directive
I am trying to figure out how to handle access and refresh tokens securely on the front end in a SPA. After doing a lot of reading, I still have questions/doubts about the proposed solutions I found on the internet.
Basically, the internet… Continue reading Secure access and refresh token handling in a SPA
I am tasked with moving away from implicit flow in a SPA. It is a basic solution consisting of a react SPA and a .net API, on the same domain. This web app is a case management solution that deals with medical data, running in a private ne… Continue reading Session/cookie expire time, match access token or refresh token from AD?
There is really not that great information on what the best practices are for auth in SPA/API solutions. Most of them just say use JWTs and auth code flow in the SPA. There is a ton of information regarding auth in a SPA where you are requ… Continue reading Best practises regarding authentication in SPA/API solutions with SSO
I currently try to implement progressive profiling with auth0 according to: https://auth0.com/blog/using-redirect-with-actions-to-gather-user-info-and-increase-conversions/ to gather first name and last name of a user after a succesful reg… Continue reading Progressive profiling with auth0: Security when communicating with auth0 actions
Backend: Django / Django Rest Framework, would be hosted at GCP k8s
Frontend: Angular, would be hosted at some CDN e.g Vercel
Authentication: JWT (https://github.com/jazzband/djangorestframework-simplejwt)
The frontend and backend would … Continue reading Is storing access token in private data, refresh token in http-only cookie safe?
I’m trying to implement the Double Submit Cookie pattern with extra protection using encrypted or signed CSRF tokens. I’m working with a Single Page Application and a stateless API. The purpose of this is to reduce risk of an attacker sett… Continue reading How to implement Double Submit Cookie with Encryption or HMAC
Goal I’d like to tighten my Content Security Policy.
Situation
I have a single page react application (= All code and styles are bundled together into a bundle.js file). The file is simply placed on a file storage server (Concrete: S3 buck… Continue reading CSP for Single Page App: Use client-side nonce for securing iframe content
I’m integrating my application with external service. My application will exchange data with the external service in context of some user. Data exchange will be done in background on server-side.
User must authenticate (authorization code … Continue reading Is getting OAuth2 token safe to fetch client-side and pass to server-side?
Let’s say that I have a single-page web app written in JavaScript and a server-side API, both changeable by me. The app calculates some values based on user input and POSTs these to the API. The values are based on user input but do not co… Continue reading Preventing users from tampering with input