2

For an application with login and logout functionalities and browsing based upon authentication , what all do i need to secure it ? I am basically very new to security and googling is leading to more confusion .

To start with i have decided to use JWT as the backbone . the client will log in , he/she gets a jws and the communication starts. My First question is , do i also need to implement csrf protection for that ? The way i see it , a malicious site or hacker will not be able to cause a csrf attack. What else do i need to do to secure it more ? I might have to save the token in a cookie using httpsecure. Will that be enough for the setup ?

Gagan Singh
  • 121
  • 1
  • Try to scan your application with some open source tools like OWASP’s ZAP. It’s super easy, and it provides advices for fixing found issues. – MrSnowMan Jul 26 '20 at 11:55
  • Ok but can you also give some insight on the setup i am about to use ? Do i need csrf protection if i am using jwt ? – Gagan Singh Jul 26 '20 at 12:01

1 Answers1

0

Let's start with whether you need anti-CSRF tokens if you are using JWT tokens. The question is rather, if you are passing JWT token via cookie or not. If you don't pass the token via cookie, you don't need anti-CSRF tokens.

Regarding what you need to consider to do make you application secure. There are different approaches to application security. I would advise to download the OWASP Application Security Verification Standard and to implement at least all Level 1 requirements. Yes, there are many, but not everything will be relevant for your application. This is also a great point to start learning about application security too.

Marek Puchalski
  • 405
  • 1
  • 4
  • 9
  • Can you suggest that what will be the best practice ? I mean , the server will send the token , i store it in cookies . For my request i pass it on in the header. In that case my application will be secure against csrf attacks right ? I'll check out the link . – Gagan Singh Jul 26 '20 at 14:18
  • 1
    You need to have something, that will not work on its own. When you manage your session over a cookie, then the cookie will be automatically attached to all requests even coming from malicious sites. This opens door to CSRF. When your JS code attaches the token to every request as Authorization: Bearer token, then you are safe, as this is a secret that will not be attached by your browser on its own. – Marek Puchalski Jul 26 '20 at 20:18