Benutzer:MovGP0/ASP.NET Core/XSS
Zur Navigation springen
Zur Suche springen
| MovGP0 | Über mich | Hilfen | Artikel | Weblinks | Literatur | Zitate | Notizen | Programmierung | MSCert | Physik |
|
|
Prevent Cross-Site Scripting
[Bearbeiten | Quelltext bearbeiten]- All inputs must be escaped. Be careful to not render user input as HTML.
| JS Client | Browser | |
|---|---|---|
| Header | Authorization: Bearer <JWT>
|
Cookie: token=<JWT>
|
| Transmission | manual coding; works with any CORS domain | automatically sent; not possible across domains |
| Storage |
|
cookie storage only |
| MITM | TLS must be managed by code | secure cookie flag forces TLS |
| XSS | manual coding effort | implicit with HttpOnly cookie flag to prevent JS access |
| CSRF | — | manual coding effort (double sumit cookie) |
Quellen
[Bearbeiten | Quelltext bearbeiten]- Preventing Cross-Site Scripting. In: ASP.NET Core Docs. Microsoft, 14. Oktober 2016, abgerufen am 12. Mai 2017 (englisch).
- Stefan Achtsnit: Securing Single Page Applications with Token Based Authentication. In: YouTube. WeAreDevelopers, abgerufen am 12. Mai 2017 (englisch).
|}