Note summary from [OWASP Authorization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html) - Authorization is about verifying that an action is approved for a specific entity - A step before this — Authentication is about identity and includes topics like MFA - Major take-aways - Give users only the privileges they need, aka principle of “Least Privilege” - Explicitly allow access, aka “Deny by Default” - Validate permissions on every request - Write tests to validate A/ReBAC (Attribute/Relationship Based Access Control) rules - Do not rely on default software configurations - Avoid exposing direct identifiers, use users token to find related objects - Secure static resources! Don’t forget! (Write an IAM policy for your s3 buckets) - Access control checks need to happen server-side (*not* client-side) - Ensure authorization failure case resolution does not expose a vulnerability - Log access attempts for post-mortem threat analysis