All Questions

932 questions with no upvoted or accepted answers
Filter by
Sorted by
Tagged with
9votes
1answer
1kviews

Is it safe to pass auth token via iOS deep link?

I'm designing a webapp/mobileapp security flow where there are no passwords, only an auth token sent to the phone via sms. Flaws in this? The plan: Phone receives sms link with embedded invite token ...
user avatar
  • 1,508
9votes
1answer
883views

Is my hack to store users' private data on Cloudant secure?

I want to store users' private information on a CouchDB in Cloudant - i.e. each user should be able to read and update only his own document. Usually such information is saved in the _users db, but I ...
user avatar
  • 2,697
8votes
1answer
82views

Why authentication URL is not needed in other Oauth 2.0 grant type than authorization code?

I have good knowledge of all Oauth grant type including use case but i have a question, i have seen many examples of authorization code so if i talk part step of authorization code grant type where ...
user avatar
7votes
0answers
83views

Is OTP less authentication possible in Android?

Problem Statement: User X wants to Log In or Signup to App A and App B. Considering:- OS Environment: Android User X, Device D, App A and App B(App A and App B are two different organizations) App A ...
user avatar
7votes
0answers
287views

Double-Edged Approach to API-based web app authentication with Spring

I am creating a web application that will be handling sensitive data. The application is implemented as a Spring Boot RESTful API, so that different flexible clients can be created around it. Right ...
user avatar
  • 5,563
6votes
1answer
624views

Why does using JWT refresh tokens protect against CSRF during authentication?

I have read a few articles regarding JWT refresh tokens, and how/why they are used. One thing i have seen mentioned here: https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/#persistance ...
user avatar
  • 485
6votes
0answers
909views

Protect source code for auth-only routes in SSR Nuxt.js (or plain Vue.js)

I use an Express backend with the nuxt.render middleware to consolidate my API, front-end and development environment. So far, everything is going great, but I had some concerns about security ...
user avatar
6votes
1answer
680views

Design for Mobile Authentication with NodeJS server

I recently struggled with the problem of security and user authentication for an iOS app I'm making, the main problem problem being how does one allow users to sign up with any 3rd party service (or a ...
user avatar
  • 6,560
6votes
3answers
10kviews

Writing custom Shiro realm

I am constructing my own AuthorizingRealm subclass, and am having a tough time wiring it up to my SecurityManager. The essence of my realm: public class MyRealm extends AuthorizingRealm { ...
user avatar
  • 24.9k
5votes
2answers
177views

Proxy Security Service for Web Service requiring Uname/Password in the Request

We have a vendor supplied solution that requires a username and password to utilize their APIs exposed as a web service. They are to be included in the actual xml of the call. We obviously don't like ...
user avatar
  • 2,881
5votes
0answers
534views

Security in google apps script public HTMLService with new Utilities.getUuid() for each request

First question in stackoverflow in my life! I am coming from the embedded programing world, and I have a very superficial knowledge on web security. I have build a platform using google apps script. ...
user avatar
5votes
1answer
766views

Secure authentication/authorisation in a Single-Page Application

I am building the following: A JavaScript Single-Page Application; A Node.js backend exposing a RESTful API, which will store user data; Users credentials (email/password) can be created via the ...
user avatar
5votes
2answers
1kviews

How to avoid showing consent screen in our own native apps when external authentication?

Background We have developed a web application featuring a rest-api using oauth2/oidc and support for third party apps We have developed our own native apps for android and ios. Currently they ...
user avatar
5votes
0answers
2kviews

How to validate user's cached credentials against a domain?

When you logon to Windows, your credentials are cached. This allows you to use single sign-on. If you were to then browse to another computer, e.g.: \\hydrogen you would not be prompted for ...
user avatar
  • 232k
5votes
1answer
3kviews

Universal way to authenticate clients and secure a RESTful api

I've been digging through stackoverflow / security.stackexchange threads and getting no definite answers on providing a universal way for clients to securely consume RESTful services I'm am building ...
user avatar
  • 494
5votes
4answers
3kviews

ApacheDS and Kerberos Setup

I am tasked with setting up an ApacheDS 2.0.0 LDAP + Kerberos (including KDC) server for use in our testing environment. I followed this guide, but am unable to successfully authenticate with my LDAP ...
user avatar
  • 51
5votes
1answer
1kviews

Securely Storing Password Hashes in Cache

I am making a back-end server as a personal project. Currently, when someone registers, their password is hashed with Bcrypt, and saved in the database. However, querying the database every-time I ...
user avatar
  • 2,971
5votes
2answers
2kviews

Symfony 2.3 Bad Credentials Custom provider

I'm completely lost at the moment, two days that I try to figure why I always obtain a "Bad Credential" response on my login form. I've used the How to load Security Users from the Database tutorial. ...
user avatar
5votes
2answers
182views

Google authentication and authorization among their apps

Google provides a bunch of apps like Plus, Gmail, Docs, Reader, etc. Internally, these apps can talk to each other securely somehow to query information/data. I am wondering conceptually how Google ...
user avatar
5votes
2answers
2kviews

Mutual SSL - how much authentication is sufficient?

Suppose you have a mutual SSL service, which in addition to the SSL, has application authentication. Thus, clients provide certificates (as well as servers), but the client request (e.g., REST ...
user avatar
  • 4,992
4votes
0answers
674views

VUEJS send passwords in axios to API

How can I secure this code ? Because on the inspector of network, we can see the newPassword et acutalPassword. The user write this actual password and this new password for change password, in a vue ...
user avatar
  • 153
4votes
0answers
300views

Is SMTP plain authentication secure when using STARTTLS?

I am writing some linux code which requires sending emails. My question is: when I do use STARTTLS (starttls on in msmtprc) is it secure to use plain authentication (auth plain)? Is the connection a)...
user avatar
  • 101
4votes
0answers
359views

Which type of token auth is more secure for api?

I am confused if I should choose between devise-token-auth (issues new tokens for each request) or knock (issues a json web token once and keeps using it till it expires or user signs in again) ...
user avatar
4votes
0answers
129views

How can we make sure LinkedIn Javascript login is secure?

We've implemented the JavaScript login plugin for our site using these instructions, but are now running into problems ensuring that the login is secure. In particular, we want to check that the user ...
user avatar
  • 698
4votes
1answer
87views

Security in token auth when using other provider authentications services such as Soundcloud?

User Login Process by Soundcloud Connect button Press the button on the website and start a session with random token generated by api server without authenticating of the user on Soundcloud. User is ...
user avatar
  • 151
4votes
1answer
87views

How can I register a new user with a user-defined unique identifier when leveraging OAuth code flow?

I'm building a sign-up / login flow for a web site. I plan to use Facebook as my identity provider instead of rolling my own. I have a good feel for the server-side login flow with Facebook: Call FB ...
user avatar
  • 1,492
4votes
0answers
752views

Spark UI Authentication

I am trying to find a way to secure my Apache Spark cloud cluster. From the spark documentation I get the following: spark.ui.filters - Comma separated list of filter class names to apply to the ...
user avatar
  • 988
4votes
1answer
272views

Two-way authentication in Symfony 2 project

I need to implement two-way authentication process in one of my Symfony 2 projects according to this algorithm: User enters his username and password in the authentication form and submits it. System ...
user avatar
4votes
2answers
4kviews

Authenticating mobile device

I'm developing client-server application, where client applications will run on mobile devices (Android, iOS) and will communicate with the server via HTTP protocol. Mobile applications will be ...
user avatar
  • 423
4votes
0answers
1kviews

WCF + Client Authentication by Certificate

i'm running a WCF service which should only accept clients which are able to authenticate theirself by a ssl client certificate. As security mode i'm using transport security. It is required that the ...
user avatar
4votes
0answers
709views

Authorization and Token Validation with WCF Service

I am working on an internal test framework in which one of the requirements is to be able to allocate a resource that can be used within a test (e.g. allocate a physical PC that will be used as part ...
user avatar
3votes
0answers
37views

Can req.user of passport.js be manipulated?

in my api whenever I get a request I check out the req.user._id which is added to any request when you have nodejs using the passportJS authentication middleware. My question is this: can a hacker ...
user avatar
3votes
2answers
392views

Facebook OAuth security using passport-facebook

I am currently using a client-side React component to have a user login to Facebook via OAuth in my application. On the server-side, I use the npm package passport-facebook-token to validate the ...
user avatar
  • 44.2k
3votes
0answers
272views

HttpOnly vs LocalStorage to store JWT

There are many similar questions here on SO asking about this, but couldn't find any that would address my concerns about using HttpOnly cookies. There are many answers that suggests using HttpOnly ...
user avatar
3votes
1answer
97views

Proxy K8S app delegating authentication of requests from other pods

Background I have a K8S cluster with a number of different pods that have their own specific service accounts, cluster roles, and cluster role bindings, so that they can execute various read/write ...
user avatar
  • 51
3votes
1answer
2kviews

. Net Core Web Api Authentication with Mongo Db

Hı , I have .Net Core 2.0 Web Api project which is make Crud operation in Mongo Db. I want to put secure in my api. Like basic authentication,JWT token like MsSql or dont necessarry database but I ...
user avatar
3votes
0answers
58views

Both Stackoverlfow and Google APIs require the App key to be passed as a query parameter. Why isn't this a security flaw?

Most of the Google APIs (Maps/Places for instance) and Stackoverflow API (when not using OAuth, thus not impersonating a user) will require a key parameter to be passed. This key identifies the ...
user avatar
  • 51.7k
3votes
1answer
679views

Spring security: register users during runtime

I have a service with two end-points: Public Endpoint: anyone can access it, and open a user account (register) Protected Endpoint: only a registered user can access it, by using the Authorization ...
user avatar
  • 2,225
3votes
0answers
315views

Storing authentication tokens in DB

I have a unique authentication token per client, of which all tokens are stored in a server database. As this is effectively a password, providing access to all of the logged in user's data, I assume ...
user avatar
  • 69
3votes
1answer
1kviews

Storing a token for offline authentication

I am working on an application that requires users to log in before they can use it. Users should only be able to log in when connected to the internet. When a user logs in, a token should be stored ...
user avatar
3votes
0answers
1kviews

Access SSRS 2016 ReportViewer (URL Access) Securely without Username/Pwd Prompt

I've searched the better part of 2 days for an answer (here and elsewhere on the net) and I am thoroughly stumped. In brief- I have an app with an IFrame that I want to have render certain reports ...
user avatar
  • 33
3votes
1answer
131views

API Authentication flow

I'm currently writing an API in Go and have been racking my brain over how to do authentication/authorization correctly and securely. As I understand it, this is how it goes: New user registers for ...
user avatar
3votes
0answers
438views

Login doesn't work sometimes on wildfly 10.1.0.Final high availability cluster

I request secured page and wildfly redirect me to login page. After I enter credentials usually it redirects me to secured page. But sometimes nothing happens and I stay at login page. And there are ...
user avatar
3votes
0answers
203views

Guard authentication and serializable user

I have been assigned the task to improve the authentication system on a symfony-based website. The details don't matter, what's important is that the new Guard component (introduced in Symfony 2.8) is ...
user avatar
3votes
0answers
327views

How do I secure the Jenkins github-webhook path?

I started to set up GitHub webhooks with Jenkins, and I got it working as https://jenkins.mydomain.com/github-webhook/ - without the username and password. I want to secure it with a username and ...
user avatar
3votes
2answers
2kviews

Fake account creation prevention on a Laravel website

I'm working on a Laravel project I'm building on my own that will require a fake account creation prevention system. I've already read some articles online and for now all the solutions which came to ...
user avatar
  • 423
3votes
0answers
285views

Symfony 2 optional API Key authentication

I've followed the official docs to set up API key authentication for a certain URL pattern (Sf2.7 API Key auth docs). The APIA Key firewall is defined before the main (normal login) firewall and it ...
user avatar
3votes
0answers
1kviews

How to configure WCF client with certificate to use the 'anonymous' authentication scheme?

I have a pair of client and server apps who use wcf in order to pass data one way from the client to the server and it has to happen in custom binding with https and X509 certificate authentication ...
user avatar
3votes
0answers
2kviews

Spring Security - POST request getting blocked by authentication

I have the following code in my WebSecurityConfigurerAdapter @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers(HttpMethod.POST, "/...
user avatar
3votes
0answers
3kviews

Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration

I recently migrated a web forms solution from windows authentication to forms authentication. Everything works fine in dev server, but when I get it to production, as soon as I make an Http Post I get ...
user avatar

15 30 50 per page
1
2 3 4 5
19