• Simple Explanation of XSS Attacks

    Cross-Site Scripting attack (XSS), is one of the top 10 OWASP most critical web application security risks.
    As a developer I pay extra attention to this attack, because it is 100% caused by a vulnerable code, and it is 100% developer responsibility to protect against this attack.

    read more ...
    Advanced HTTPS

    Adding an SSL Certificate and enabling HTTPS on your web site is not the end of the road for securing your website, and securing the communication to your website.
    It is just the start, and you need to do more steps related to HTTPS to guarantee your site safety, and your visitor safety. In this post I am going to describe:

    1. TLS and its algorithms in more depth.
    2. Insecure protocols, and algorithm.
    3. Best algorithm combination.
    4. Redirect from HTTP using HSTS.

    read more ...
    The proper way to use OAuth in a native app.

    IETF submitted a draft on the best approach to implement OAuth in a mobile native app. They recommended a specific flow and some security considerations.
    I am going to show how to implement these in the code on both mobile platforms iOS, and Android using Facebook authentication service as an example of OAuth provider, and then show how Facebook and Google SDK for those platforms are implementing this apporaches.
    This is not an OAuth tutorial, so I am assuming that you are familiar with OAuth terminologies and workflows.

    read more ...
    Token Based Authentication and JWT

    HTTP protocol specified only two standard authentication mechanisms, which are implemented in every browser, the HTTP basic authentication, and the Digest authentication which is obsolete now because it is not secure anymore.
    Because they are limited and work only on user name/password idea, the development communities in every web development platform came up with their better customized solutions.
    JWT is one of the most promising and smart authentication ideas that is taking famous recently.

    read more ...
    Making sense of SSL, RSA, X509 and CSR
    This is the second part of learning about SSL/TLS.
    The first part was how to protect the site with SSL.
    This part is about explaining more the terms, technologies, protocols, standards used in SSL.

    read more ...
    Web security - Basic Authentication
    Although basic authentication is not widely used anymore, but understanding it is a good idea, because some parts of it are used in other security mechanisms like JWT for example.

    read more ...
    Secure your web site with SSL
    In order to secure the web site with SSL, you first need to buy a certificate.
    A certificate is a document that your website will send back to the browsers as an "Official identification" for your web site, and your business.

    read more ...
    Ajax, CORS, JSONP and the battle with Same-Origin Policy

    All modern browsers have a built-in security policy called Same-origin policy, which help mitigate many vulnerabilities and security flaws. This policy means the browser can only pull data from the same site.
    Same site means pages that share the scheme (http, ftp, https...), and the host name and the port.

    read more ...