Web Security• What is security in web app context?• Authentication vs Authorization• „Standard” way - Stateful• „Modern” way - Stateless• Cookies and Tokens• Double and 2-step verification• Useful libraries• Summary

Whatis

Security?

• practice of defending information from unauthorized access• keeping away all valuable information from unprivileged users• protecting data from leaking outside the company• storing confidential informations only for provisioned roles

Authorization

vs

Authentication

Unauthorized

Forbidden

Session

• Storing data on server side• Client passes back only id• Server knows what user it is talking to• Lasts form first user's visit on the page and is kept

some time after his last activity (request)• It almost impossible to know that user left the

page• In most servers session express after particular

period

RESTful

• The whole state need to be held by the client, not the server

• State is being transfered in every request to release server from remembering it

• An ideal RESTful service allows clients to perform any needed task in one request

Stateless?

Actually, there is a state!

When it comes to authentication, some information has to stay on the server side for security reasons

And what about cookies?

• If cookies are used to maintain state at the client side, for the client, of the client and by the client then they are restful.

• For clients besides browsers, managing cookies is a pretty big inconvenience compared to query params

• However in browser, using cookies can make lots of things much simpler

• API should first look in the Authorization header for the authentication data (the place for non-browser clients) and in case authentication data is missing then may also check for a session cookie

• When we are the only developers who creating apps which can access to our web service, we can depend on cookies and implement cookie mechanisms in our applications

Login

Token

Request

Response

Data

DB

Use the new TLS!• Asymmetric cryptography• Secure data between connection endpoints• Client encrypts data, Server decrypts it• Protects from MITM

Multi-factor authentication

Token +• IP• User Agent

• SMS• Biometric• Face• Electronic signature• Codes from card

Cross-Site Scriptinghttps://xss-game.appspot.com/

https://github.com/gbirke/Sanitize.js

2-step verification

Useful GEMs for Rails

• the_role | https://github.com/the-teacher/the_role

Which resources are available for what role (group of users)Roles and permissions are declared with JSON and stored in DBAccess can be managed from administrative panel within our web app

• declarative_authorization | https://github.com/stffn/declarative_authorization

The developer needs to specify which roles are allowed to access a specific controller action or a part of a viewAuthorization at controller, model or view levelDSL for specifying Authorization rules

• devise | https://github.com/plataformatec/devise

Complete MVC solution based on modularity conceptOffers complete session model for authenticationProvide generators for scaffolding authorization skeleton

$ npm install jsonwebtoken

$ bower install jsjws

http://jwt.io/#

https://oauth.io/home

https://auth0.com/