This post will discuss how to use JSON Web Token (JWT) to separate your authentication from you API endpoints and how to do so securely in a Single Page Application (SPA). JSON Web Token (JWT) A JSON Web Token is an alternative for the combination of a session cookie and a server side session object. It typically contains the authentication and authorization “claims”. The user identifier (a technical primary key or something uniquely identifying the user, such as an email address) is almost always on of the claims (called the “subject”). Typically you may also have the role of that user in the application as a claim. These claims are sent to the server using a “Authorization” request header and can be trusted, because they are signed by the issuer (typically your authentication service). ...

This post will explain what XSS and CSRF attacks on web applications are and also what the best practices are to counter them. It will explain the mitigation techniques: Output escaping, “HttpOnly” cookie and CSRF-token. XSS and CSRF explained Most web applications that require login use a session cookie that contains the session identifier (and preferably nothing else). This identifier corresponds on the server side with a session object, stored in a central session store. It is used as a proof that you once entered your username/password correct in the session and should therefore be protected carefully. A malicious JavaScript may be executed on your site that “steals” the session cookie and posts it to the attackers website. The attacker will be receiving these session cookies and can start using the application, while being logged in as you. This is called “Cross Site Scripting” or XSS. “Cross Site Request Forgery” on the other hand exploits the behavior of automatically sending the session cookie on every request. It will do something on the logged in web application on your behalf, by cross-posting a form from the attackers website to the web application you are logged in to. In this scenario we protect ourselves against XSS with output escaping and “HttpOnly” cookies and against CSRF with a so-called “CSRF token”. ...

Multitenancy in IT is the concept that you put your customers on shared infrastructure (as opposed to an on-premise solution). This concept is also referred to as “cloud computing”. It may be obvious that multitenancy impacts costs, security, availability and performance. This is also true when multitenancy is applied to database systems. But note that database multitenancy is not a black-or-white thing. 5 levels of database multitenancy You can identify the following 5 different levels of multitenancy in the database world. Customers may share: ...

My name is Maurits van der Schee and I love thinking about software architecture and building high traffic web applications. In the past I have been building Oefenweb and LeaseWeb CDN. Previously I have been blogging on LeaseWeb labs, but from now on you can find me here on TQdev.com. So please update your bookmarks accordingly. “TQdev”, what does that mean? It means “I love you, developer!” and it is something I think almost every day when I work with free software. ...