Skip to content

Instantly share code, notes, and snippets.

@si14

si14/security_checklist.md

Last active November 23, 2020 17:53
Show Gist options
  • Star 10 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save si14/0c1630e2143d67bbcf58 to your computer and use it in GitHub Desktop.
Save si14/0c1630e2143d67bbcf58 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
security_checklist.md

webapp/OAuth2/REST API stack security checklist

OAuth2 (implicit flow)

  • response_type is a constant set for particular app on server (1)
  • redirect_uri, too (1)
  • "state" parameter is echoed by server and checked by client (1)
  • hash of "state" parameters is stored in LocalStorage and destroyed on receiving redirect (1)
  • "client_id" parameter is checked (after obtaining token, make a request to server to get "token_id" for this token and compare to existing one) (2, 3)
  • IP is saved for particular token on grant and checked on access
  • token expires in a reasonable time

Auth

  • TOTP is required
  • minimum password length and hardness (dictionary?) are checked
  • strong hash (PBKDF2/bcrypt/scrypt)
  • long random per-user salt
  • hash and salt aren't leaked on /users (or similar) endpoint
  • session cookie is restricted to login and OAuth2-auth endpoints

TLS

Extra

  • X-Content-Type-Options: nosniff
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Security-Policy

Links

  1. http://homakov.blogspot.ru/2013/03/oauth1-oauth2-oauth.html
  2. http://homakov.blogspot.ru/2012/08/oauth2-one-accesstoken-to-rule-them-all.html
  3. http://technotes.iangreenleaf.com/posts/closing-a-nasty-security-hole-in-oauth.html
  4. https://github.com/angular-oauth/angular-oauth (example of implicit flow implementation)
@narenndhra
Copy link

</textarea>

@narenndhra
Copy link

">

@narenndhra
Copy link

<script>alert(1)</script>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment