MDN Series

CORS

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS


Cookies

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

- You can ensure that cookies are sent securely and aren't accessed by unintended parties or scripts in one of two ways: with the Secure attribute and the HttpOnly attribute.

- Secure - A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. It's never sent with unsecured HTTP (except on localhost), which means man-in-the-middle attackers can't access it easily.

- HttpOnly - A cookie with the HttpOnly attribute is inaccessible to the JavaScript Document.cookie API; it's only sent to the server. For example, cookies that persist in server-side sessions don't need to be available to JavaScript and should have the HttpOnly attribute. This precaution helps mitigate cross-site scripting (XSS) attacks.

This does not mean HttpOnly cookies are not sent with XHR requests.


TODO

CSRF, XSS, Cache Headers, Vary

Comments

Post a Comment

Popular posts from this blog

Should you always have null checks?

 I had a habit of always adding a null check at the start of a method, for validating method arguments. However, I gradually learnt this might not always be a good idea. Checking for nulls when your code does not expect a null value would just hide the problem happening upstream. Also, since the error would manifest in some other part of the code, it will be a nightmare the debug what actually failed. Instead, if you let the code throw an NPE, your application will fail fast and report exactly where the exception was thrown. So, unless your code expects nullable values, its not a good idea to add null checks. More discussion on this - https://softwareengineering.stackexchange.com/questions/147480/should-one-check-for-null-if-he-does-not-expect-null
Read more

Identity Terms and Definitions

Identity Terms and Definitions SAML Profiles http://saml.xml.org/components-profiles gives the best definition of identity protocol profiles in general, Generally, a profile of SAML defines constraints and/or extensions in support of the usage of SAML for a particular application – the goal being to enhance interoperability by removing some of the flexibility inevitable in a general-use standard. For instance, the Web Browser SSO Profile specifies how SAML authentication assertions are communicated between an identity provider and service provider to enable single sign-on for a browser user.
Read more