Client vs Server Security

• Client code and calls from clients are inherently unsecure: the client medium is not under control and can be manipulated by a bad actor: influence vm, influence browser sandbox, influence memory, influence javascript, influence assembler, intercept and change calls, change https content. The client endpoint is in total control of the client.
  • Conclusion: you must always have validation server side.
  • Corolar: client side validation is for UX purpose (faster to provide feedback) and is optional.
  • When you add client validation you start to break the DRY principle: there is always an already implemented validation algorithm on the server.
  • DRY is also potential broken by a second client.

Credentials

Tokens

Tokens are a temporary proof that you are authorized to do an action. Usually is generated by a server as a final response to a more complicated authentication process. There are several types of tokens: Bearer Token, Refresh Token, API Token depending on how they are generated, used.

• https://stackoverflow.com/questions/25838183/what-is-the-oauth-2-0-bearer-token-exactly
• https://developers.google.com/identity/protocols/OAuth2
• Your Password Complexity Requirements are Worthless - OWASP AppSecUSA 2014
• Cracking Corporate Passwords: Why Your Password Policy Sucks
• linkedin 2016 passwords
  • https://www.reddit.com/r/sysadmin/comments/4n4oox/fyi_the_linkedin_password_database_is_now_on/
  • https://blog.korelogic.com/blog/2016/05/19/linkedin_passwords_2016
  • torrent

PINs

• 4 digit PIN analysis - http://www.datagenetics.com/blog/september32012/

Patterns

Password Rules

• https://blog.codinghorror.com/password-rules-are-bullshit/
• https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
• https://ask.metafilter.com/193052/Oh-Randall-you-do-confound-me-so
• http://world.std.com/~reinhold/diceware.html

Biometrics

• https://medium.freecodecamp.org/why-you-should-never-unlock-your-phone-with-your-face-79c07772a28

Same Origin Policy

The same-origin policy generally prevents one origin from reading arbitrary network resources from another origin

• https://en.wikipedia.org/wiki/Same_origin_policy

CORS - Cross-Origin Resource Sharing

• https://www.html5rocks.com/en/tutorials/cors/
• https://techannotation.wordpress.com/2013/09/30/5-minutes-with-cross-origin-resource-sharing-cors/

CORB - Cross-Origin Read Blocking

• https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md