Please enable JavaScript.
Coggle requires JavaScript to display documents.
Web server security settings - Coggle Diagram
Web server security settings
CSRF tokens
Sent via non-HTTP-only, secure cookies
Consequence: susceptible to XSS
Solution: Use CSP ✅
Send jwt access/refresh tokens via Http-only, secure cookies
✅
All cookies has 'sameSite' policy set to 'strict'
✅
This means that no site is able to acces the cookies
rather than the thasa wallet website ✅
CORs on backend
Include this in response header:
Access-control-allow-origin: none except same-site
✅
Problems
:
Should refresh token be placed in cookies?
What is a common machanics for the client to
implicitly exchange refresh token for a new access token?
How often should we rotate CSRF tokens?
How do clients handle storage and retrieval of CSRF tokens?
How does the server send the CSRF token to the clients? ✅
Distribute server's IP (don't request from a single IP)
XSS protection
Always sanitize user input with lib 'xss' in nodejs ✅
Enable CSP to tell the browser to only load script from the trust source, which is the web server
✅
Optional: Use a 3rd-party code security review tool:
OWASP
BURSP suite
ZAP
✅
Optional
:
Escape server's
HTML response
Setup CSP to prevent XSS
✅
Optional:
Server should serve compressed files front-end static files for better performance
IMPORTANT
: Use more secure algorithms for jwt-token signing
Setting up key-pair for asymmetric algos
✅