A basic guideline on implementing auth for the web
Home Page: https://thecopenhagenbook.com
License: MIT License
The Copenhagen Book provides a general guideline on implementing auth in web applications. It is free, open source, and community maintained. It may be opinionated or incomplete at times but we hope this fills a certain void in online resources. We recommend using this alongside the OWASP Cheat Sheet Series.
If you have any suggestions or concerns, consider opening a new issue.
I'm not sure if this should be part of the book since it's more general security rather than auth related
Unfortunately I've never implemented SAML before
The "Sessions" guide contains the following:
CSRF protection must be implemented when using cookies, and using the SameSite flag is not sufficient.
This is somewhat true, but there is some additional nuance here.
My understanding is that SameSite=Lax (or Strict) is sufficient CSRF protection if the following conditions are met:
GET requests aren't used to mutate data on the server.As with anything related to auth, there are plenty of edge-cases (as listed above) but generally I think SameSite=Lax or SameSite=Strict could be recommended as a sufficient method of CSRF protection in certain circumstances.
Interested to hear your thoughts and, if you agree, I'm happy to modify the "SameSite cookie attribute" section of the "CSRF" guide to include this info.
Describe and compare different ways to implement rate-limiting
In various journeys of an applications functions it's possible to infer the presence of a identity such as
New user sign up is provided an email that is checked 'that account already exists' <-- this is a point of enumeration
Forgotten Password is often a point of enumeration too altho often a little noisier <-- user doesn't exist versus email sent
Login page also a point of enumeration <-- user does not exist versus incorrect password
Areas like these should either send to the user's provided email address actions to authenticated such as how Spotify's magic link works or send an email suggesting someone has attempted to sign up using this email address if the account doesn't exist yet
where an application cannot do this, it must be aware of the enumeration and scraping potential
Does this make sense ?
I can put something in long form if needed, but in principle, how are re defending from scraping and inference based learning for unauthenticated visitors
I can translate the book to Arabic, but we need malta to support internationalization first
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.