Skip to content

Auth

Web Authentication and Authorization¶

WebAuthn¶

https://webauthn.guide/

Session Cookies¶

Should be marked httpOnly/Secure, for extra security use SameSite attribute and Host.

Set-Cookie: CookieName=CookieValue; SameSite=Lax;
Set-Cookie: CookieName=CookieValue; SameSite=Strict;

Security Headers¶

Strict-Transport-Security header
Everything you need to know about HTTP security headers

APIs¶

Use a bearer token.
Enforce TLS and revoke token that is not over HTTPS.

If you go with OpenID/Oauth for client sign-ins then require https callbacks and provide scoped permissions.

Account Takeover¶

Use a Unicode version of an email to test the account info
Allow the Reset Link to be reused
Make an account with the same email address to prejack a account if they use OAUTH to login in to an account.
Test if the Host, Referrer, X-Forwarded-For and Origin headers change the domain of the password reset