authentication
Safeguard articles tagged "authentication" — guides, analysis, and best practices for software supply chain and application security.
46 articles
Designing a secure Node.js API gateway: auth, rate limits, validation, and signing
CVE-2020-15084 let attackers forge JWTs against express-jwt because one algorithm check was missing — a case study in why gateways need four defense layers, not one.
API gateway security: enforcing authN/authZ and rate limits at the edge
A single unauthenticated API endpoint exposed 37 million T-Mobile accounts in 2023. Edge-enforced authZ and identity-aware rate limits are how you prevent the repeat.
Building an authenticated, TLS-secured WebSocket server in Python
WebSockets skip same-origin checks by default — CWE-1385 exists because of it. Here's how to build one in Python with origin checks, TLS, and rate limits.
JWT security vulnerabilities and best practices
The jsonwebtoken library shipped three separate signature-bypass CVEs between 2015 and 2022 — algorithm confusion is still the most common way JWTs fail.
The Onboarding Tax: Why Signup Forms Break Agent Workflows
Every signup form, verification email, and OAuth redirect is a wall an AI agent can't climb. Zero-touch onboarding lets an agent create the account and sign in itself — no browser, no human relay.
API Authentication Best Practices (2026)
How you authenticate API clients decides how bad a leaked credential gets. Here is how to choose and harden API keys, bearer tokens, JWTs, and mTLS in 2026.
WebSocket Security Guide: Origin Checks, Auth, and CSWSH
WebSockets skip the same-origin policy and don't carry your REST auth for free. Cross-site WebSocket hijacking is the flaw teams miss. Here's how to secure the handshake.
Secure JWT handling: algorithm confusion, expiry, and storage done right
A single unchecked `alg` header turned jsonwebtoken into a forgeable token in CVE-2015-9235 — here's how to close every hole RFC 8725 warns about.
A practical REST API hardening checklist
OWASP's 2023 API Security Top 10 still ranks broken object-level authorization as the #1 risk — here's a concrete checklist for authn, rate limiting, and input validation.
Secure session lifecycle management: tokens, rotation, and cookie flags
OWASP requires session IDs carry at least 64 bits of entropy, yet a 2007 Rails flaw shows one dropped attribute is enough to make fixation trivial.
Verifying webhook signatures correctly
Stripe gives you a 5-minute replay window and GitHub a raw-body HMAC — but most outages trace back to one bug: verifying JSON after it's been re-serialized.
OAuth 2.0 Security Best Practices (2026)
OAuth 2.0 is safe when you follow the current security BCP and dangerous when you follow a decade-old tutorial. Here is what RFC 9700 requires in 2026: PKCE everywhere, exact redirect matching, and sender-constrained tokens.