Securing Single Page Apps and REST Services

Securing Single Page Apps and REST Services(jamesward.com)

6 points by throwmeaway2525 12 years ago | 3 comments

I'm not the author, I'm just curious what people think of this approach. Does it sound reasonable?

Todd 12 years ago | |

This appears to be another mechanism to mitigate CSRF vulnerabilities, tailored to a single page app. It is quite similar to, for example, putting a security token into a form that is validated on post. The difference is that it is put into a header. This is probably less secure, in fact, because the token comes straight from the cookie. CSRF tokens are typically generated server side and can thus be made cryptographically strong.

It's funny because the author initially advocates against using cookies because they are susceptible to CSRF attacks, and then immediately suggests using cookies as part of this new scheme (albeit in a different way).

This is a good example of why you shouldn't design your own security system unless you are an expert in security and/or cryptography.

throwmeaway2525 12 years ago | | |

I believe the scheme is still generating the token server-side, no?

"The server validates the login information and creates an authentication token for the user"