Collaborate Disseminate
We have an application with HTML5, CSS3, Angular, single page or progressive, which depends stateless on the backend for APIs.
If the payload has private PII Data, the recommendation is to encrypt the entire packet.
What are the approaches… Continue reading Payload Security for Single Page app to back end REST Services
Crawling and auditing the traffic using the Burp Suite, our Angular application was flagged for the following:
OWASP Top 10 Classification – Broken authentication and session management – Sensitive data exposure
I was able to grab the toke… Continue reading OWASP session token in url azure b2c
Crawling and auditing the traffic using the Burp Suite, our Angular application was flagged for the following:
OWASP Top 10 Classification – Broken authentication and session management – Sensitive data exposure
I was able to grab the toke… Continue reading OWASP session token in url azure b2c
I am having a problems defining the flow of an application that is supposed to be authenticated / authorized securely with an SPA frontend. Currently using an SPA with a Spring application server as a backchannel / client for Oauth2. The s… Continue reading SPA Oauth2 and Backchannel (Client)
We are writing a pure javascript front-end (in angular) for an API that still uses OAuth 1 for legacy reasons. Being pure javascript means the consumer secret is part of the code that gets downloaded at the start, before authentication, an… Continue reading Is OAuth 1 less secure than OAuth 2 in an SPA
Context: I’m looking at storage solutions for JWT tokens on a single page application.
Storing the JWT in the local storage is unsafe and prone to XSS attacks.
Storing the JWT in a secure / HTTP only cookie is safer, but prone to CSRF att… Continue reading Split a JWT between payload and signature
I have a website developed using VueJS (i.e. its a single page application). I’ve been looking at implementing Content Security Policy headers. As I tested out the header values I would need, I realised I would have to allow ‘unsafe-inline… Continue reading Content Security Policy applied to Single Page Applications: Is it worth it with unsafe-inline?
This question is essentially the opposite of Why isn’t PKCE encouraged for Single-Page Apps?.
In recent years, most OAuth API vendors seem to be have become unanimous in recommending that JavaScript apps without a server backend (a.k.a. SPAs) use a proof-key-for-code-exchange grant flow (PKCE, as documented here).
What I’m curious about is why that change came about.
It’s easy to understand why PKCE is needed in native apps, where things like custom URI schemes are used to collect access tokens, which is a vector for token leakage when any app on your OS can potentially register itself as a handler for your URI scheme.
But what are the weaknesses in a browser app? Referer headers? Extensions? History leakage? Some other vector I haven’t thought of but which evil hackers will swoop in to exploit mere minutes after my site goes live?
(For the record, I have no particular aversion to using PKCE, I’m just really interested in the security context and would like to get better at reasoning about weaknesses in front end applications)
Continue reading Why *is* PKCE recommended for single page JavaScript apps?
Say I have three components in a system:
An identity service, hosted at identity.mydomain.com
A single page application, served from app.mydomain.com
An API, protected by requiring a bearer token signed by identity.mydomain.com
In the … Continue reading Taking advantage of subdomains for refresh token rotation in SPAs
I have an API and an SPA. The SPA is all anonymous but I want to ensure the caller of the API is authorized to do so.
It seems that all of the OAuth best practices, e.g. PKCE, depend on a user actually logging in, which will never happen… Continue reading Is there a current best practice for authorizing an SPA to get/post to API