Further to the recent changes adding authentication and authorisation. Some consideration in your security threat model #7
Labels
enhancement
New feature or request
help wanted
Extra attention is needed
question
Further information is requested
Projects
Comments
csharpfritz
added
enhancement
|
Lets get past an initial minimum viable product and then apply these security practices |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There is currently a bunch of discussion going on about the various approaches to adding OpenID Connect, specifically around potential risks of using implicit flow, as is common in SPA apps, a good overview of this being presented here:
https://brockallen.com/2019/01/03/the-state-of-the-implicit-flow-in-oauth2/
You may find the following useful in deciding which way you want to implement OIDC in your app
https://damienbod.com/2019/04/02/securing-browser-based-javascript-typescript-applications/
The following article presents one solution to this situation:
https://leastprivilege.com/2019/01/18/an-alternative-way-to-secure-spas-with-asp-net-core-openid-connect-oauth-2-0-and-proxykit/
You probably also want to take advantage of .net core XSS protections
https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting?view=aspnetcore-3.0
and XSRF/CSRF
https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-3.0
Additionally, it would be worth looking at the OWASP top 10 security issues
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
A good cheat sheet for which is here:
https://github.com/OWASP/CheatSheetSeries#cheat-sheets-index
The text was updated successfully, but these errors were encountered: