Collaborate Disseminate
Let’s say that I have a single-page web app written in JavaScript and a server-side API, both changeable by me. The app calculates some values based on user input and POSTs these to the API. The values are based on user input but do not co… Continue reading Preventing users from tampering with input
I’m researching our options for securing access to a single-page web app and a mobile app. The apps communicate with a REST API which, based on the authenticated user’s identity, will return potentially sensitive information. The apps can … Continue reading Auth0 token exchange vs Google Firebase token exchange
In a new project, we try to clarify how authorization should look like. I’ve been reading up on this for days, but it’s not really clear to me which solution would be the right one to use. Some solutions are not recommended anymore, some s… Continue reading Refresh token rotation or Authorization Code Flow with PKCE
I am pretty sure that the answer to my question is no, but I have been have a hard time finding an answer through official documentation or other posts here. Here is simple use case for some context:
Python backend web application (api.do… Continue reading Is it possible to set an HttpOnly Cookie from one domain to another subdomain
I’m currently in need of some clarification for an authentication/overall strategy. First I will describe the use case and then the questions that arise for me.
Use Case
I want to have a single docker container consisting of an API and a d… Continue reading Multiple user specific APIs with a single Authentication Server
I want to build an SPA with ASP.NET Core (Blazor server side) which some IFrames redirecting to other applications. In this example I have f.e. the SPA, Grafana to show graphs and Node-Red, but there could be more in the future. To create … Continue reading Implement an SPA with IFrames, but with Single Sign-on
Consider a use-case in which a single page application using an OAuth identity flow has to use one of many possible identity providers, as determined by what user is logged in. More specifically, I log in using my credentials for Company A… Continue reading Delegating to multiple auth providers from a single page application
I am using csruf to prevent against CSRF attacks with NodeJS (express server) and Single Page application (SPA)
I have the following code in my server.js
const csrfProtection = csrf({
cookie: {
httpOnly: true,
secure: process.env… Continue reading Configure CSRF in NodeJs and react (SPA)
I have an ASP.Net Web API and a ReactJS front end. Each has their own website in IIS. The ReactJS site has no server side rendering. Both sites share the same authentication cookie because the front end runs as an application inside the We… Continue reading CSRF protection and Single Page App running in a frame set
Is it safe to include the CSRF token as part of an HTTPS successful login JSON response in an SPA? If not, is there a better mechanism for sending it which avoids the Double Submit Cookie pattern?
Some background:
I am building an SPA appl… Continue reading CSRF token in SPA login JSON response?