DEV Community

Cover image for How to Secure the Web: A Comprehensive Guide to Authentication Strategies for Developers

How to Secure the Web: A Comprehensive Guide to Authentication Strategies for Developers

Mahmoud Abbas on April 10, 2023

Introduction As the digital world continues to expand, ensuring the security of web applications and protecting user data has become mor...
Collapse
 
pilcrowonpaper profile image
pilcrowOnPaper

If you're using JWTs, please please please be aware that you cannot revoke existing tokens. This is a major issue if users can change passwords or privileges. In general, sessions will likely be a better choice and most (if not all) major sites use sessions.

Also, using Bearer tokens as stated here:

When the user makes a request to the server, the token is included in the request in the Authorization header prefixed with the word "Bearer ", then the server verifies the token and grants access to the application if the token is valid.

isn't possible if you're storing it with http-only cookies.

if you are willing to go the extra mile, you can use a refresh token and an access token. which is the way I prefer to do it.

Using 2 types of tokens won't make your application more secure if you're storing both of them inside cookies. An attacker will likely have access to the refresh token if they can steal the access token.

Every auth strategy will be susceptible to CSRF and/or XSS since you're storing something onto to browser. Setting same-site to strict means your users won't be logged in if they access your website via a link. This isn't an issue for websites for say banks, but will likely make UX worse for most sites. Check the Origin header for CSRF protection or use traditional CSRF tokens instead.

Collapse
 
fjones profile image
FJones • Edited

Using 2 types of tokens won't make your application more secure if you're storing both of them inside cookies. An attacker will likely have access to the refresh token if they can steal the access token.

Yes, this is true. However, refresh tokens are supposed to be used with short-lived authorization tokens and (importantly) invalidated when reused. This limits the attack potential to at worst two authorization tokens' lifetimes - the originally-hijacked one, and the one fetched with the refresh token, until the real user tries to redeem the refresh token (at which they must be required to re-authenticate, and none of the refresh tokens issued up to this point must be valid anymore).

Obviously this all matters very little if the attack vector is persistent, and authorization tokens should indeed be used as Bearer tokens rather than cookies, but refresh tokens do serve a security purpose.

Collapse
 
nosherwan profile image
Nosh Ghazanfar

Totally agree with you. That is why I have clearly stated those things in the article itself here: dev.to/nosherwan/effective-securit...

Collapse
 
ma7moud3bas profile image
Mahmoud Abbas

Thanks for sharing this.

Will look more into it and update the article accordingly.

Collapse
 
ma7moud3bas profile image
Mahmoud Abbas

These are some good points. thanks for sharing them.

You gotta admit that every one of these approaches has a downside.

Collapse
 
cubiclesocial profile image
cubiclesocial

There's one authentication type you missed: WebAuthn.

In my experience, SAML is a nightmare. When it works, it's a solid SSO solution for the end-user. When it doesn't work, it can take several hours of staring at the configuration on the enterprise side to spot the one thing that was overlooked. In an enterprise setting, there's at least one major SAML related problem every day for some random user. There's no particularly good enterprise alternative to SAML though as it is baked into ADFS, which makes it the de facto standard.

Collapse
 
ma7moud3bas profile image
Mahmoud Abbas

Thanks for sharing this 🙏

I've edited the article to include WebAtuhn.

Also take in mind that this article is just an introduction to the most popular types of auth standerds.

Collapse
 
simondoll23 profile image
simondoll23

Hi, such a fine sharing I will follow this for my gastric bypass surgery website. Surely, this will help in growing my site as well.

Collapse
 
vdelitz profile image
vdelitz

Great article and easy to understand! Would be cool to see WebAuthn as another standard here as well :)

Collapse
 
ma7moud3bas profile image
Mahmoud Abbas • Edited

Thank you 🙏

I tried to include the ones that are used the most.

Will definitely add more in the future

Collapse
 
kongwoojeong profile image
Zayden

hello I'm a front-end engineer.
I really like your article and would like to translate it, is it possible?

Collapse
 
ma7moud3bas profile image
Mahmoud Abbas

go ahead by all means.

Just share a link to it when you are done.

Collapse
 
jacque_smith_227c9c0079dc profile image
Jacque Smith

Hi, I'm glad you found the information helpful! Implementing the strategies mentioned in this article can indeed contribute to the growth of your hair transplant surgery website. By providing informative and engaging content, you can attract and educate your audience, establishing your site as a reliable resource in the field. Additionally, focusing on search engine optimization and utilizing social media platforms can help increase your site's visibility and reach. Best of luck with your website and the success of your hair transplantation services!