Securing Single Page Apps and REST Services

The move towards Single Page Apps and RESTful services open the doors to a much better way of securing web applications. Traditional web applications use browser cookies to identify a user when a request is made to the server. This approach is fundamentally flawed and causes many applications to be vulnerable to Cross-Site Request Forgery (CSRF) attacks. When used correctly, RESTful services can avoid this vulnerability altogether. Before we go into the solution, lets recap the problem.

How Bad Crossdomain Policies Expose Protected Data to Malicious Applications

The web’s success has been partially due to the sandbox it provides users. Users do not generally have to entirely trust every website they visit because malicious web sites should be sandboxed from doing the user harm. One way that web sites are sandboxed is through a same-origin policy. By default any code that runs inside a web browser can only access data from the domain in which the code originated from.

Mutual Authentication: Prevents Phishing Attacks?

One of my credit card companies just implemented Mutual Authentication for their web site. I think this is a fantastic idea since it can help to protect users from phishing attacks. The hard part will be training users to not enter their credentials unless they see the tokens they selected.

Continue reading to see how Juniper implemented Mutual Authentication.