Safeguard
Tag

authentication

Safeguard articles tagged "authentication" — guides, analysis, and best practices for software supply chain and application security.

46 articles

Application Security

Designing a secure Node.js API gateway: auth, rate limits, validation, and signing

CVE-2020-15084 let attackers forge JWTs against express-jwt because one algorithm check was missing — a case study in why gateways need four defense layers, not one.

Jul 15, 20266 min read
Application Security

API gateway security: enforcing authN/authZ and rate limits at the edge

A single unauthenticated API endpoint exposed 37 million T-Mobile accounts in 2023. Edge-enforced authZ and identity-aware rate limits are how you prevent the repeat.

Jul 13, 20266 min read
Application Security

Building an authenticated, TLS-secured WebSocket server in Python

WebSockets skip same-origin checks by default — CWE-1385 exists because of it. Here's how to build one in Python with origin checks, TLS, and rate limits.

Jul 11, 20266 min read
Application Security

JWT security vulnerabilities and best practices

The jsonwebtoken library shipped three separate signature-bypass CVEs between 2015 and 2022 — algorithm confusion is still the most common way JWTs fail.

Jul 10, 20266 min read
AI Security

The Onboarding Tax: Why Signup Forms Break Agent Workflows

Every signup form, verification email, and OAuth redirect is a wall an AI agent can't climb. Zero-touch onboarding lets an agent create the account and sign in itself — no browser, no human relay.

Jul 9, 20264 min read
Security Guides

API Authentication Best Practices (2026)

How you authenticate API clients decides how bad a leaked credential gets. Here is how to choose and harden API keys, bearer tokens, JWTs, and mTLS in 2026.

Jul 8, 20266 min read
Security Guides

WebSocket Security Guide: Origin Checks, Auth, and CSWSH

WebSockets skip the same-origin policy and don't carry your REST auth for free. Cross-site WebSocket hijacking is the flaw teams miss. Here's how to secure the handshake.

Jul 8, 20265 min read
Application Security

Secure JWT handling: algorithm confusion, expiry, and storage done right

A single unchecked `alg` header turned jsonwebtoken into a forgeable token in CVE-2015-9235 — here's how to close every hole RFC 8725 warns about.

Jul 8, 20266 min read
Application Security

A practical REST API hardening checklist

OWASP's 2023 API Security Top 10 still ranks broken object-level authorization as the #1 risk — here's a concrete checklist for authn, rate limiting, and input validation.

Jul 8, 20266 min read
Application Security

Secure session lifecycle management: tokens, rotation, and cookie flags

OWASP requires session IDs carry at least 64 bits of entropy, yet a 2007 Rails flaw shows one dropped attribute is enough to make fixation trivial.

Jul 8, 20266 min read
Application Security

Verifying webhook signatures correctly

Stripe gives you a 5-minute replay window and GitHub a raw-body HMAC — but most outages trace back to one bug: verifying JSON after it's been re-serialized.

Jul 8, 20267 min read
Security Guides

OAuth 2.0 Security Best Practices (2026)

OAuth 2.0 is safe when you follow the current security BCP and dangerous when you follow a decade-old tutorial. Here is what RFC 9700 requires in 2026: PKCE everywhere, exact redirect matching, and sender-constrained tokens.

Jul 7, 20266 min read
authentication — Safeguard Blog