Collaborate Disseminate
(This is a followup to my question about a general security scheme here)
As part of an authentication scheme for a single-page application + REST API, I planned to provide authenticated clients with a short-lived access JWT … Continue reading Is it useful to have separate access tokens and refresh tokens if they’re going to be stored on the client-side as cookie?
I’m trying to secure a REST API that I’m using as a backend for a single-page application. The API provides access to read/create/modify/delete protected resources, based on a set of permissions managed by an administrator. What I’m thinki… Continue reading Is this security scheme using passwords, short-lived access JWTs, and long-lived refresh tokens a good way to secure a REST API?
I’ve read a lot about Implicit Grant Flow and when it should be used, but I can’t wrap my head around a use case for where it would have made sense over the Authentication Code Grant Flow before PKCEs were a recommended option.
Here is wh… Continue reading What was the point of Implicit Grant Flow in OAuth 2.0?
I am trying to build an app that deals with finance, specifically crypto-currency. What are the fundamentals (preferably in point form, but I’d appreciate explanations too) of securing such an app from attackers?
I am new t… Continue reading Fundamentals of securing a web app? [on hold]
I develop a webservice currently and communication might be a bottleneck. It would be at least 100ms faster if I could access the webservice from the browser directly instead of sending the messages to the consumer’s server f… Continue reading Is there a way to protect against fake messages by an SPA that consumes a webservice directly?
I went thru multiple posts saying how implicit grant is a security risk and why auth code grant with AJAX request to Authorization server should be used after redirecting to application (without client_secret passed to Auth s… Continue reading Which grant type : Implicit or Auth code (with No secret key) is suitable for Single Page Application(SPA)?
I’m building a JSON API. For authentication I plan to use a random-token based approach, with the random token having 256 bits of entropy and generated using a CSRNG. A hash of the token will be stored in server-side in the d… Continue reading Storage of API authentication token in single-page-applications
I have Single Page Application based on Open ID Connect flow (keycloak).
I wonder what are the security considerations for refresh token storage – what are the advantages and disadvantages for storing refresh token by the web/mobile appli… Continue reading OIDC SPA Keycloak refresh_token storage location
I would like to hide certain content behind a paywall in my VueJS app. In googling around…
Some tutorials recommend storing the currently logged in user in local storage. And then before showing the restricted content, yo… Continue reading Is it possible to truly hide content behind a paywall in a single page app?
I have a case where I want to run multiple single page applications on the same domain. Those apps should get access to a specific set of APIs.
Example:
myapp.example/profile: hosts the profile app
myapp.example/api/profi… Continue reading API isolation for multiple single page applications under the same domain