Handling authentication secrets in the browser

Description

Applications that run in the browser and connect to backend services have the challenging problem of security. Given the open nature of the browser environment, where anybody can inspect or even modify a running application, it is practically impossible to hide secrets such as access tokens or passwords from a savvy user (or from the attacker that gained control of their computer).

Fortunately, there are a number of best practices and safeguards that minimize and sometimes completely eliminate the risk of an attack. Miguel Grinberg covers techniques to secure different types of web applications, from old-school thin-client apps where the server does everything to modern JavaScript rich UIs that connect to a distributed network of services.

Topics include:

• How secrets can be attacked in the server, in the client, and during transit
• When to store secrets in the server and when to store them in the client
• Passwords versus tokens: When to use one or the other
• Access tokens from third-party services such as Facebook, Twitter, and GitHub
• JSON Web Tokens
• Techniques to secure a login form
• Techniques to secure asynchronous requests to backend services
• How Rackspace protects the AWS managed apps control panel