| ▲ | reactordev 6 days ago | |||||||
Assume every token is forged. Secure by default. Even if it wastes cpu, validate each and every field. Signatures only work if verified. While you're at it, validate it against your identity database as well. Double check, triple check if you must. This is what I taught my devs. Tenant, User, Group, Resource - validate it all before allowing it through. | ||||||||
| ▲ | Permik 6 days ago | parent | next [-] | |||||||
Also knowing the difference between authentication and authorization is crucial and should not be forgotten. | ||||||||
| ||||||||
| ▲ | 8note 5 days ago | parent | prev [-] | |||||||
also assume that the valid credentials have been stolen and are being used by a hacker. make sure anything done in a session can be undone as part of sanitizing the user | ||||||||