Collaborate Disseminate
I’m implementing a refresh-token rotation mechanism. For the sake of simplicity in implementing the frontend I would like to remove the need for requesting a new access token when an old one expires.
The idea I have goes:
User logs in via… Continue reading Refresh-token rotation without additional frontend requests
I have a problem deciding what is the most secure method to send a login request with a username and password strings, I understood that PATCH is less secure than PUT while both are less secure than POST, would it be more sensible then to … Continue reading PATCH request on a login attempt
Below is an excerpt from https://policies.google.com/technologies/cookies#security
The ‘pm_sess’, ‘YSC’ and ‘AEC’ cookies ensure that requests within a
browsing session are made by the user, and not by other sites. These
cookies prevent m… Continue reading Google Security Cookies; Prevents cookie leak to malicious XHRs
We are using an API from a third party for managing content which is secured by an API key which does not change over time. Now we are building our own API to support part of that functionality.
So the browser calls our API which is callin… Continue reading Authentication on public availble Restful API
I am using a legacy Boa web server, which adopts HTTP instead of HTTPS. Then the Nessus scan found that it doesn’t encrypt confidential data, and specifically, the password in authentication.
How can I make some altercation to the server c… Continue reading How to make Nessus believe that my web server encrypt confidential data, e.g. password when http is employed? [closed]
For quite some time WebKit and others support WebAuthn. This allows for a pretty seamless 2FA experience with a key, like Yubico. On Apple devices TouchID/FaceID can also be used as a hardware key.
This creates an interesting workflow:
Us… Continue reading Does using TouchID and WebAuthn with a password manager defeat the 2FA?
Similar Question: Securing a multi-tenant API with SSO and different roles per tenant
I’ll provide an example
This is the top level domain:
umantis.com
This is the syntax for a tenant/subdomain:
recruitingapp-xxx.umantis.com
Why don’t th… Continue reading Is there any advantage of per-tenant password storing to cross-tenant SSO if at all? [closed]
OWASP’s Authentication Cheat Sheet states unequivocally:
Do NOT allow login with sensitive accounts (i.e. accounts that can be used internally within the solution such as to a back-end / middle-ware / DB) to any front-end user-interface.
… Continue reading Interpreting OWASP prohibition: no sensitive-account login to any frontend interface
This question relates to this post I made on StackOverflow recently, which I’ll recap here briefly.
I have a desktop app that I would like to authenticate through a website, using the process outlined below:
I click a "Login" b… Continue reading Creating secure website-based login for a desktop app
During an engagement, i have been asked by a client to explain (with the use of one
or more examples) why they must update their website authentication mechanism,
as they are currently using HTTP Basic-Authentication and how it can be dang… Continue reading What security concerns can arise from using HTTP Basic-Authentication?