DEV Community

loading...

Discussion on: I am a Developer Advocate for Security in Mobile Apps and APIs, Ask Me Anything

Collapse
wolfiton profile image
wolfiton

Thanks for sharing your take on this. I am also glad that someone else uses phoenix and elixir in their stack.

Regarding the jose standard for jwt, I was looking at paseto but never managed to make it working with laravel. the good news is that Elixir has a paseto package and might be worth looking at it if you want a powerfull security with SSR.

Also is SSR possible with http only cookies, because i couldn't find anything related to this, have you tried it?
Just found this and i am wondering if it is secure enough to be able to use it to leverage SSR for seo and security with the auth header cookie
swapnil.dev/blog/authentication-in...
Also sorry if I write so much, I am just very happy that I could find someone that is very knowledgeable regarding security and can understand my worries of the new web stacks that everybody is so thrilled about.
Thanks in advance

Thread Thread
exadra37 profile image
Paulo Renato Ask Me Anything

Also is SSR possible with http only cookies, because i couldn't find anything related to this, have you tried it?

Well be it server side rendered or not httpOnly cookies are not controlled by your app in the client side, instead it's the browser the one in charge of sending them back in each request to the backend, therefore you just need to check them on each request your backend receives:

From Mozilla:

Ways to mitigate attacks involving cookies:

  • Use the HttpOnly attribute to prevent access to cookie values via JavaScript.
  • Cookies that are used for sensitive information (such as indicating authentication) should have a short lifetime, with the SameSite attribute set to Strict or Lax. (See SameSite cookies, above.) In browsers that support SameSite, this has the effect of ensuring that the authentication cookie is not sent with cross-origin requests, so such a request is effectively unauthenticated to the application server.

Also remember to always encrypt the session cookies in your backend so that no one can spy on them, thus mitigating what Mozilla mentions:

Security

Information should be stored in cookies with the understanding that all cookie values are visible to, and can be changed by, the end-user. Depending on the application, it may be desirable to use an opaque identifier which is looked-up by the server or to investigate alternative authentication/confidentiality mechanisms such as JSON Web Tokens.

So if you decide to put the JWT in a session cookie, then use JWE, aka encrypted JWT's... This is what I am doing in my Elixir/Phoenix app.


the good news is that Elixir has a paseto package and might be worth looking at it if you want a powerfull security with SSR.

No need to use Paseto with Phoenix in Elixir, just use the native encrypted tokens.


Thanks for sharing your take on this. I am also glad that someone else uses phoenix and elixir in their stack.

Professionally I code in a lot of different languages, personally only in Elixir ;)