-
Introduction: Security, Authentication, and AuthorizationBack-end 2022. 1. 14. 13:07
웹(앱)의 보안, 인증, 권한부여에 관한 기본 개념을 정리하였습니다.
< Introduction to Web Security >
Documentation : Web application security : What is Application Security?
애플리케이션 보안 - 위키백과, 우리 모두의 백과사전
애플리케이션 보안(Application security)은 응용 소프트웨어의 보안 정책에서의 결함이나 시스템 개발에서의 눈에 띄지 않는 위약점들 같은, 코드의 생명주기 전체 과정을 아우른다. 애플리케이션은
ko.wikipedia.org
Application security refers to the entire lifecycle process of code, such as flaws in the security policy of application software or invisible weaknesses in system development.
Documentation : MDN - Website Security : What is Web Security?
Website security - Web 개발 학습하기 | MDN
This article has explained the concept of web security and some of the more common threats that your website should attempt to protect against. Most importantly, you should understand that a web application cannot trust any data from the web browser! All u
developer.mozilla.org
- Effective website security requires effort throughout the design process.
- The single most important lesson about website security is to never trust data from the browser
- Typical security threats :
1. Cross-Site Scripting(XSS)
2. SQL Injection
3. Cross Site Request Forgery (CSRF)
Article : The Basics of Web Application Security : Basics of Web Application Security
The Basics of Web Application Security
Security is both very important and often under-emphasized. While many targeted techniques help, there are some basic clean code habits which every developer can and should be doing
martinfowler.com
< In Summary : >
- Authorization must always be checked on the server. Hiding user interface components is fine for user experience, but not an adequate security measure
- Deny by default. Positive validation is safer and less error prone than negative validation
- Code should authorize against specific resources such as files, profiles, or REST endpoints
- Authorization is domain specific, but there are some common patterns to consider when designing your permission model. Stick to common patterns and frameworks unless you have a very compelling reason not to
- Use RBAC for basic cases and keep permissions and roles decoupled to allow your policies to evolve
- For more complicated scenarios, consider ABAC, and use XACML or policies coded in the application's language
< Introduction to Authentication/Authorization >
Documentation : OAuth - Authentication and Authorization Flows : Authentication and Authorization
Auth0
Get started using Auth0. Implement authentication for any kind of application in minutes.
auth0.com
< Authentication vs Authorization >
- authentication is the process of verifying who someone is
- whereas authorization is the process of verifying what specific applications, files, and data a user has access to
Documentation : MDN - HTTP authentication : HTTP authentication
HTTP authentication - HTTP | MDN
HTTP provides a general framework for access control and authentication. This page is an introduction to the HTTP framework for authentication, and shows how to restrict access to your server using the HTTP "Basic" schema.
developer.mozilla.org
HTTP provides a general framework for access control and authentication. This page is an introduction to the HTTP framework for authentication, and shows how to restrict access to your server using the HTTP "Basic" schema.
Article : Basic Authentication Tutorial : Basic Authentication Tutorial with Example API
NodeJS - Basic Authentication Tutorial with Example API | Jason Watmore's Blog
Tutorial built with Node.js Other versions available: In this tutorial we'll go through a simple example of how to implement Basic HTTP Authentication in a Node.js API with JavaScript. The example API has just two endpoints/routes to demonstrate authentica
jasonwatmore.com
In this tutorial, you will learn how to implement Basic HTTP authentication in a Node API and how to use it within a React, Angular, Vue.js, or Blazor application.
'Back-end' 카테고리의 다른 글
OAuth 2.0 (0) 2022.02.23 Token Authentication (0) 2022.02.23 Cookie & Session (1) 2022.02.22 What is the Back-End? (0) 2021.11.02 - Typical security threats :