Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

WORK IN PROGRESS SUBJECT TO CHANGE

Endpoint Protection

The method by which secure endpoints are protected.

A planned method of authenticating HTTP requests from the Safe Places web app is to use a JSON Web Token (JWT).

The rationale behind the decision is due to the token’s ability to retain potentially sensitive information (JWT claims) in transit while maintaining its data integrity via key-signing.

Structure

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "<username>",
  "role": "<user_role">,
  "context": "<hashed_cookie_context">,
  "iat": "<issue_date">,
  "exp": "<expiration_date">
}

Potential Vulnerabilities

Token Sidejacking

An attacker may steal the token from the authorized user and use it for nefarious purposes. To mitigate this attack, we will employ token contextualization.

  1. We generate a random string during the authentication phase and send it to the client as a cookie.

    1. The cookie must have the flags HttpOnly, Secure, and SameSite.

  2. We store a SHA256 hash of the random string in the token as context.

During token validation, we hash the context in the token and compare it with the sent cookie. If they are different, then reject the request.

Access Code Exchange

The method by which access tokens for consent are generated and exchanged.

  • No labels