Adam Hopkins - Overcoming access control in web APIs

Security

Learn how to overcome access control in web APIs by considering authentication and authorization separately, using tokens and header-based security measures, and implementing structured scopes and protection methods to ensure secure and controlled access.

Key takeaways
  • Consider authentication and authorization separately; authentication is about “who is this person?”, while authorization is about “are they allowed to do this?”
  • Use tokens to store authentication information, but avoid storing sensitive information in cookies
  • Browsers are a problem because they can’t handle security features like HTTP-only cookies; use header-based security measures instead
  • JWTs are a common way to handle authentication, breaking into three parts: namespace, action, and signature
  • Use structured scopes to handle authentication and authorization; structured scopes are a way to define permissions without storing them in a database
  • Don’t rely on cookies for authentication; instead, use header-based security measures
  • Use a protection method to validate tokens and prevent unauthorized access
  • Remember that authentication failure is a 401 status code, and authorization failure is a 403 status code

More talks

Keynote: How I Met Your Data - Troy Hunt - NDC Security 2024

Greg Molnar - The state of security in Rails 8 - Rails World 2024

Oblivious RAM: From Theory to Large-scale Real-world Deployment

Q&A with Elviss Strazdiņš

Jenny Shen - Demystifying the Ruby package ecosystem - Rails World 2023

Confused Learning: Supply Chain Attacks through Machine Learning Models

How To Be a Postgres DBA in a Pinch with Elizabeth Christensen - DjangoCon US 2022

Select ML from Databases [PyCon DE & PyData Berlin 2024]