security - Securing oauth bearer token against attacks such as XSS, CSRF in javascript apps -
i bit unclear how secure (or protect) bearer tokens when using pure javascript applications.
i know when user request token server can come validity of 14 days or 24 hours. 1 time user has token there no neat (assured) way of securing xss or csrf attacks (am missing something?).
now lets user logged web application , browser has token valid 14 days. if user accessing web application trying xss (or csrf) token exposed 3rd party application , application can create calls application using token (?)
i have tried search online nil concrete (or easy understand) coming pure js apps , how protect token. or there isn't way in js atm. , hope (and pray) attack not take place within validity of token (i.e. 14 days :|)?
any thoughts or inputs welcome this.
thanks
edit: prob. goes without saying assuming utilize of ssl certificate.
security cookies oauth xss csrf
No comments:
Post a Comment