SECURITY - rs-hash/Senior GitHub Wiki

https://github.com/rs-hash/Learning/wiki/Security,-authentication,-authorization,-Interceptors

OAuth

HTTP vs HTTPS

  • HTTP (Hypertext Transfer Protocol) and HTTPS (Hypertext Transfer Protocol Secure) are protocols used for transmitting data over the internet.
  • HTTPS is an extension of HTTP that adds a layer of security through SSL/TLS (Secure Sockets Layer/Transport Layer Security) encryption.
  • Data sent over HTTP is transmitted in plain text, making it susceptible to interception and manipulation by malicious actors.
  • HTTPS operates over port 443 by default and encrypts the data transmitted between the web server and the client, protecting it from interception and eavesdropping.
  • Many regulatory standards and best practices (e.g., PCI DSS, GDPR) require the use of HTTPS for securing data transmission and protecting user privacy.

HTTPOnly cookie

  • An HttpOnly cookie is a type of cookie that is set with an HttpOnly flag in its attributes. This flag instructs the browser to restrict access to the cookie only to HTTP requests, preventing client-side scripts (e.g., JavaScript) from accessing the cookie's contents.
  • HttpOnly cookies are commonly used for managing user sessions securely. When a user logs in to a web application, the server sets an HttpOnly cookie containing a session identifier (e.g., session ID or token).
  • The browser automatically includes this HttpOnly cookie in subsequent HTTP requests to the server. Since client-side scripts cannot access HttpOnly cookies, this prevents unauthorized access or manipulation of session-related data by malicious scripts.

Cross-Site Scripting (XSS):

  • Definition: A type of web security vulnerability where malicious scripts are injected into web pages viewed by other users. XSS attacks can steal sensitive data, manipulate content, or perform unauthorized actions on behalf of the user.

SQL Injection

  • Definition: A type of security vulnerability where malicious SQL queries are injected into input fields or parameters of a web application. SQL injection attacks can manipulate databases, access sensitive data, or execute unauthorized commands.

Cross-Site Request Forgery (CSRF)

  • Definition: A type of attack where unauthorized commands are executed on behalf of a user who is authenticated on a website. CSRF attacks exploit the user's active session to perform malicious actions without their consent.

Security Story

  • HTTPS (SSL/TLS Encryption) Ensure that your application uses HTTPS to encrypt data transmitted between the client (browser) and the server.Obtain and install an SSL/TLS certificate
  • Implement strict input validation on the client side to prevent injection attacks such as Cross-Site Scripting (XSS) and SQL Injection. Validate and sanitize user inputs
  • Implement robust authentication mechanisms (e.g., OAuth, JWT) to verify the identity of users and grant appropriate access levels based on their roles and permissions.
  • Configure CSP headers to restrict the types of content that can be loaded on your web pages. Define policies for scripts, stylesheets, fonts, images, and other resources to reduce the risk of XSS attacks and data leakage * Security Audits and Penetration Testing Conduct regular security audits and penetration testing to identify vulnerabilities, assess risks, and address security weaknesses in your front-end application.
  • We integrate strong authentication mechanisms such as multi-factor authentication (MFA), OAuth, or JSON Web Tokens (JWT) to verify user identities and prevent unauthorized access.
  • We prioritize data security by encrypting sensitive information (e.g., passwords, financial transactions) using strong encryption algorithms like AES-256.

JWT

  • Generating the JWT: The process starts when a user successfully authenticates with the application using their credentials (e.g., username and password) or other authentication mechanisms.
  • Upon successful authentication, the server generates a JWT containing a payload of claims (e.g., user ID, roles, expiration time) and signs it with a secret key or private key using cryptographic algorithms like HMAC or RSA.
  • The JWT consists of three parts separated by periods: Header.Payload.Signature.
  • Sending the JWT to the Client : The server sends the JWT back to the client as part of the authentication response, typically in the form of an HTTP header (e.g., Authorization header with the value "Bearer [JWT]") or as a cookie.
  • Storing and Using the JWT on the Client Side: The client (e.g., web browser) stores the JWT securely, usually in local storage, session storage, or a cookie with appropriate security attributes (e.g., HttpOnly, Secure flag).
  • The client includes the JWT in subsequent requests to the server to access protected resources or endpoints that require authentication and authorization.
  • Verifying and Decoding the JWT on the Server: When the client sends a request to the server with the JWT, the server verifies the JWT's integrity and authenticity by validating the signature using the secret key or public key (in the case of RSA).
  • If the signature is valid, the server decodes the JWT to extract the claims payload, including information about the user (e.g., user ID, roles, permissions).
  • The server checks the JWT's expiration time, issued at time, audience (aud), issuer (iss), and any custom claims to ensure that the JWT is valid and has not been tampered with or expired.
  • Authentication and Authorization: Based on the decoded JWT claims, the server performs authentication by identifying the user and verifying their identity.
  • The server also performs authorization checks to determine whether the user has the necessary permissions and access rights to perform the requested operation or access the requested resource.
  • Handling Token Expiry and Refresh: If the JWT has an expiration time (exp), the server checks if the token has expired. If the token is expired, the client needs to request a new JWT by re-authenticating or using a refresh token (if applicable).
  • A refresh token is a long-lived token used to obtain new access tokens (JWTs) without requiring the user to re-enter their credentials. This process helps manage token expiry and provides a seamless user experience.
  • Revoking or Invalidating Tokens: In certain scenarios (e.g., user logout, account deactivation, token compromise), the server may need to revoke or invalidate JWTs to prevent unauthorized access. This can be achieved by maintaining a blacklist or revocation list of invalidated tokens.
  • Token Renewal and Rotation: Periodically renew or rotate the secret key used to sign JWTs to enhance security and mitigate risks associated with compromised keys or tokens.