Client side security improvement

Question

Client side security improvement

Closed this issue 8 years ago · 2 comments

This is an issue as follow up of security related discussion in #110. This is client part of whole security improvement in #92

Quoted the comments here for convenience:

Hi @girikuncoro , this PR is meant for discussion of what I've done to implement token in UI.
Since we don't have login UI yet, for now token is hardcoded and embed in API_HEADERS object. All UI functionality is back to normal now for the our newest API. Since it is a temporary implementation, I'd like to discuss for next implementation here.

By considering vulnerability to XSS and CSRF attacks, I've planned to follow pattern as discussed in this article : http://www.redotheweb.com/2015/11/09/api-security.html

In summary, the secure way to implement authentication is by combining a session token and a session cookie which are immune to both XSS and CSRF.

So the AJAX call to POST /authenticate should expect both a session cookie header, and a token in the response body. They must be different, otherwise an attacker getting access to either one of them could bypass both authentications.
Other than token in the response body, we need session cookie header included in the api response which is not available for our current api implementation, am I right?

Btw, how do you think about this approach? Do you have another approach that we can implement based on your experience. Let's discuss it further.

Answer 1 · 2017-02-22T22:57:47.000Z

@tororudy https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Answer 2 · 2017-03-20T06:53:24.000Z

Currently handled by #92 PR, but will revisit and rediscuss this in the end of product dev