DEV Community

Discussion on: What are your default 'safe' meaning in software security?

Collapse
 
rhymes profile image
rhymes

Hi Manda,

I never feels secure about my app

that's a great place to start, me neither!

A good way to deal with auth is not to build the auth app from zero at all :) In the sense that if you don't have to deal manually with authentication then you probably have safer best practices put in place by a trusted framework or a third party provider if you use an external service.

That doesn't mean you still don't have have to know how the whole things works but maybe building it from zero it's not a good idea, unless your business is to provide authentication.

You can also consider adding 2FA.

Another great way to increase the odds at safety is not to have a server to manage at all. Using PaaS or FaaS cloud computing you avoid dealing with patches and software upgrade yourself.

Going back to your example, I think it's a decent start except for JWT inside the local storage. The local storage is visible to every script running on your browser, regardless of which apps stored it in the first place, which means that a potential attacker can retrieve data. That doesn't mean "don't use local storage ever", just don't put sensitive data in it, like an authentication token. You can use it to store a username or something else for example. A http only cookie is a safer bet.

Another trick you could implement is to integrate the Have I been pwned API in your login/registration process, so that you can guard against previously breached passwords.

Cross site scripting is also another thing to keep in mind as a web developer and you can mitigate that by using frameworks with CSRF protection and by using content security policy headers.

Avoiding known vulnerabilities by integrating auditing tools in your build process it's also another thing you might want to consider. They are not fool proof but at least they catch known vulnerabilities before deployment.

A couple of resources:

Collapse
 
mandaputtra profile image
Manda Putra

Hi great explanation thanks :) Just know that pwned had API, will use that to check the password.

I'm start using localStorage because all of tutorials around this world are using localStorage for storing JWT, thats good start for newb like me... but today yeah as you said the safer bet is using cookies. Thanks ! :)