nqthqn
15 properties of living structures
About
An Ode to Paper
Authorization
Basics with Blender
Beguiling Bigrams
Builder Pattern
Content Security Policy
Convergent & Divergent Thinking
Cross-Site Request Forgery Prevention
Custom Elements or Web Components
Design Philosophy
Early Exposure
Flummoxing Feedback
Fonts with Obsidian Publish
HMAC
I use Helix
journey to image hooks
Kleene star notation
Knowledge Garden Planning
learn together
Marvel at the multiplex
Morphosyntax
other people say
Phantom Type
Pruning your Knowledge Garden
Résumé
Rotoscoping
SaaS Products
SHA-1
Simpler Obsidian
Trailhead
unknown unknowns
Web Security
Wordy
XSS
nqthqn

Authorization

Note summary from OWASP Authorization Cheat Sheet

  • Authorization is about verifying that an action is approved for a specific entity
  • A step before this — Authentication is about identity and includes topics like MFA
  • Major take-aways
    • Give users only the privileges they need, aka principle of “Least Privilege”
    • Explicitly allow access, aka “Deny by Default”
    • Validate permissions on every request
    • Write tests to validate A/ReBAC (Attribute/Relationship Based Access Control) rules
    • Do not rely on default software configurations
    • Avoid exposing direct identifiers, use users token to find related objects
    • Secure static resources! Don’t forget! (Write an IAM policy for your s3 buckets)
    • Access control checks need to happen server-side (not client-side)
    • Ensure authorization failure case resolution does not expose a vulnerability
    • Log access attempts for post-mortem threat analysis
Links to this page
Web Security
Authorization
Interactive graph
Powered by Obsidian Publish