{"componentChunkName":"component---src-templates-blog-list-template-js","path":"/123","result":{"data":{"allMarkdownRemark":{"edges":[{"node":{"excerpt":"In this blog, we learn how to implement the AntiXssMiddleware in .NET Core. First, we will understand about the cross-site scripting. Cross…","fields":{"slug":"/engineering/anti-xss-middleware-asp-core/"},"html":"

In this blog, we learn how to implement the AntiXssMiddleware in .NET Core. First, we will understand about the cross-site scripting.

\n

Cross-Site Scripting(XSS)

\n

Cross-site scripting is a security vulnerability and a client-side code injection attack. In this attack, the malicious script is injected into legitimate websites.\nCross-site scripting allows an attacker to act like a victim user and to carry out the actions that the user can perform. The attacker can access the user's data as well.

\n

Implement AntiXssMiddleware in .NET Core

\n

Step 1: Create Asp.NET Core Web Application project in Visual Studio.

\n

Step 2: Select type as API in the next step and create the project. You will find a default controller which is created in the controller folder named as WeatherForecastController.cs

\n

Step 3: Now create a new folder named Middleware in the root directory.

\n

Step 4 : Create a new file AntiXssMiddleware.cs in that Middleware folder.

\n

Step 5: Now add the Newtonsoft.json package into your solution

\n

By doing the above steps you will have below structure in your solution.

\n

\n \n \"Solution\n

\n

Step 6: Now edit the AntiXssMiddlewars.cs file and paste below code.

\n
using System;\nusing System.Collections.Generic;\nusing System.IO;\nusing System.Linq;\nusing System.Net;\nusing System.Text;\nusing System.Text.RegularExpressions;\nusing System.Threading.Tasks;\nusing Microsoft.AspNetCore.Builder;\nusing Microsoft.AspNetCore.Http;\nusing Newtonsoft.Json;\n\nnamespace AntiXssMiddleware.Middleware\n{\n    public class AntiXssMiddleware\n    {\n        private readonly RequestDelegate _next;\n        private ErrorResponse _error;\n        private readonly int _statusCode = (int)HttpStatusCode.BadRequest;\n\n        public AntiXssMiddleware(RequestDelegate next)\n        {\n            _next = next ?? throw new ArgumentNullException(nameof(next));\n        }\n\n        public async Task Invoke(HttpContext context)\n        {\n            // Check XSS in URL\n                if (!string.IsNullOrWhiteSpace(context.Request.Path.Value))\n                {\n                    var url = context.Request.Path.Value;\n\n                    if (CrossSiteScriptingValidation.IsDangerousString(url, out _))\n                    {\n                        await RespondWithAnError(context).ConfigureAwait(false);\n                        return;\n                    }\n                }\n\n                // Check XSS in query string\n                if (!string.IsNullOrWhiteSpace(context.Request.QueryString.Value))\n                {\n                    var queryString = WebUtility.UrlDecode(context.Request.QueryString.Value);\n\n                    if (CrossSiteScriptingValidation.IsDangerousString(queryString, out _))\n                    {\n                        await RespondWithAnError(context).ConfigureAwait(false);\n                        return;\n                    }\n                }\n\n                // Check XSS in request content\n                var originalBody = context.Request.Body;\n                try\n                {\n                    var content = await ReadRequestBody(context);\n\n                    if (CrossSiteScriptingValidation.IsDangerousString(content, out _)) \n                    {\n                            await RespondWithAnError(context).ConfigureAwait(false);\n                            return;\n                    }\n                    await _next(context).ConfigureAwait(false);\n                }\n                finally\n                {\n                    context.Request.Body = originalBody;\n                }\n        }\n\n        private static async Task<string> ReadRequestBody(HttpContext context)\n        {\n            var buffer = new MemoryStream();\n            await context.Request.Body.CopyToAsync(buffer);\n            context.Request.Body = buffer;\n            buffer.Position = 0;\n\n            var encoding = Encoding.UTF8;\n\n            var requestContent = await new StreamReader(buffer, encoding).ReadToEndAsync();\n            context.Request.Body.Position = 0;\n\n            return requestContent;\n        }\n\n        private async Task RespondWithAnError(HttpContext context)\n        {\n            context.Response.Clear();\n            context.Response.Headers.AddHeaders();\n            context.Response.ContentType = "application/json; charset=utf-8";\n            context.Response.StatusCode = _statusCode;\n\n            if (_error == null)\n            {\n                _error = new ErrorResponse\n                {\n                    Description = "Error from AntiXssMiddleware",\n                    ErrorCode = 500\n                };\n            }\n\n            await context.Response.WriteAsync(_error.ToJSON());\n        }\n    }\n\n    public static class AntiXssMiddlewareExtension\n    {\n        public static IApplicationBuilder UseAntiXssMiddleware(this IApplicationBuilder builder)\n        {\n            return builder.UseMiddleware<AntiXssMiddleware>();\n        }\n    }\n\n\n    /// <summary>\n    /// Imported from System.Web.CrossSiteScriptingValidation Class\n    /// </summary>\n    public static class CrossSiteScriptingValidation\n    {\n        private static readonly char[] StartingChars = { '<', '&' };\n\n        #region Public methods\n\n        public static bool IsDangerousString(string s, out int matchIndex)\n        {\n            //bool inComment = false;\n            matchIndex = 0;\n\n            for (var i = 0; ;)\n            {\n\n                // Look for the start of one of our patterns \n                var n = s.IndexOfAny(StartingChars, i);\n\n                // If not found, the string is safe\n                if (n < 0) return false;\n\n                // If it's the last char, it's safe \n                if (n == s.Length - 1) return false;\n\n                matchIndex = n;\n\n                switch (s[n])\n                {\n                    case '<':\n                        // If the < is followed by a letter or '!', it's unsafe (looks like a tag or HTML comment)\n                        if (IsAtoZ(s[n + 1]) || s[n + 1] == '!' || s[n + 1] == '/' || s[n + 1] == '?') return true;\n                        break;\n                    case '&':\n                        // If the & is followed by a #, it's unsafe (e.g. S) \n                        if (s[n + 1] == '#') return true;\n                        break;\n\n                }\n\n                // Continue searching\n                i = n + 1;\n            }\n        }\n\n        #endregion\n\n        #region Private methods\n\n        private static bool IsAtoZ(char c)\n        {\n            return (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z');\n        }\n\n        #endregion\n\n        public static void AddHeaders(this IHeaderDictionary headers)\n        {\n            if (headers["P3P"].IsNullOrEmpty())\n            {\n                headers.Add("P3P", "CP=\\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\\"");\n            }\n        }\n\n        public static bool IsNullOrEmpty<T>(this IEnumerable<T> source)\n        {\n            return source == null || !source.Any();\n        }\n        public static string ToJSON(this object value)\n        {\n            return JsonConvert.SerializeObject(value);\n        }\n    }\n\n    public class ErrorResponse\n    {\n        public int ErrorCode { get; set; }\n        public string Description { get; set; }\n    }\n\n}
\n

In the above file we have created the method for checking the Xss in QueryParam, RequestUri and RequestBody.

\n

Here we have different methods which are as follows:-

\n

ReadRequestBody which is used for reading the RequestBody.

\n

RespondWithAnError which is used for returning the error.

\n

IsDangerousString which is checking if there is any dangerous string like any script in the given string.

\n

Step 7: Edit the Startup.cs file and add below line in Configure method.

\n
app.UseAntiXssMiddleware();
\n

Step 8 : After editing the Startup.cs file will look like below

\n
using System;\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Threading.Tasks;\nusing AntiXssMiddleware.Middleware;\nusing Microsoft.AspNetCore.Builder;\nusing Microsoft.AspNetCore.Hosting;\nusing Microsoft.AspNetCore.HttpsPolicy;\nusing Microsoft.AspNetCore.Mvc;\nusing Microsoft.Extensions.Configuration;\nusing Microsoft.Extensions.DependencyInjection;\nusing Microsoft.Extensions.Hosting;\nusing Microsoft.Extensions.Logging;\n\nnamespace AntiXssMiddleware\n{\n    public class Startup\n    {\n        public Startup(IConfiguration configuration)\n        {\n            Configuration = configuration;\n        }\n\n        public IConfiguration Configuration { get; }\n\n        // This method gets called by the runtime. Use this method to add services to the container.\n        public void ConfigureServices(IServiceCollection services)\n        {\n            services.AddControllers();\n        }\n\n        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.\n        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)\n        {\n            if (env.IsDevelopment())\n            {\n                app.UseDeveloperExceptionPage();\n            }\n\n            app.UseHttpsRedirection();\n            app.UseAntiXssMiddleware();\n            app.UseRouting();\n            app.UseAuthorization();\n            app.UseEndpoints(endpoints =>\n            {\n                endpoints.MapControllers();\n            });\n        }\n    }\n}
\n

Step 9: Now build and run the solution.

\n

As we run the default API which is https://localhost:44369/weatherforecast we will get the below response.

\n
[\n    {\n        "date": "2020-08-21T11:58:40.0289718+05:30",\n        "temperatureC": 27,\n        "temperatureF": 80,\n        "summary": "Sweltering"\n    },\n    {\n        "date": "2020-08-22T11:58:40.0289896+05:30",\n        "temperatureC": 21,\n        "temperatureF": 69,\n        "summary": "Cool"\n    },\n    {\n        "date": "2020-08-23T11:58:40.0289899+05:30",\n        "temperatureC": -20,\n        "temperatureF": -3,\n        "summary": "Hot"\n    },\n    {\n        "date": "2020-08-24T11:58:40.0289901+05:30",\n        "temperatureC": 21,\n        "temperatureF": 69,\n        "summary": "Sweltering"\n    },\n    {\n        "date": "2020-08-25T11:58:40.0289902+05:30",\n        "temperatureC": 2,\n        "temperatureF": 35,\n        "summary": "Balmy"\n    }\n]
\n

Now if we inject any script in the above url like https://localhost:44369/weatherforecast<script></script> we will get the response as

\n
{\n    "ErrorCode": 500,\n    "Description": "Error from AntiXssMiddleware"\n}
\n

Note:

\n
    \n
  1. The default port may be different when you run the project. So change the port accordingly.
    2. \n
  2. You can customize the error message according to your need.
    3. \n
\n

Conclusion

\n

In this blog, we learnt about how to implement AntiXssMiddlware in ASP.NET Core Web Application Project. We have implemented the AntiXssMiddleware in API's QueryParam, ReuqestUri and RequestBody. So if any script is injected in QueryParam, RequestUri or RequestBody then it will give the error.

\n","frontmatter":{"date":"August 26, 2020","updated_date":null,"description":null,"title":"Implement AntiXssMiddleware in .NET Core Web","tags":["C#","ASP.NET"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/813c7a5a008113481ac2c05836830d14/ee604/antixss.png","srcSet":"/static/813c7a5a008113481ac2c05836830d14/69585/antixss.png 200w,\n/static/813c7a5a008113481ac2c05836830d14/497c6/antixss.png 400w,\n/static/813c7a5a008113481ac2c05836830d14/ee604/antixss.png 800w,\n/static/813c7a5a008113481ac2c05836830d14/f3583/antixss.png 1200w,\n/static/813c7a5a008113481ac2c05836830d14/5707d/antixss.png 1600w,\n/static/813c7a5a008113481ac2c05836830d14/eeb1b/antixss.png 1920w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Hemant Manwani","github":"hemant404","avatar":null}}}},{"node":{"excerpt":"In this post, we will look at the step-by-step process for Kafka Installation on Windows. Kafka is an open-source stream-processing software…","fields":{"slug":"/engineering/quick-kafka-installation/"},"html":"

In this post, we will look at the step-by-step process for Kafka Installation on Windows. Kafka is an open-source stream-processing software platform and comes under the Apache software foundation.

\n

What is Kafka?

\n

Kafka is used for real-time streams of data, to collect big data, or to do real-time analysis (or both). Kafka is used with in-memory microservices to provide durability and it can be used to feed events to complex event streaming systems and IoT/IFTTT-style automation systems.

\n

Installation :

\n

1. Java Setup:

\n

Kafka requires Java 8 for running. And hence, this is the first step that we should do to install Kafka. To install Java, there are a couple of options. We can go for the Oracle JDK version 8 from the Official Oracle Website.

\n

2. Kafka & Zookeeper Configuration:

\n

Step 1: Download Apache Kafka from its Official Site.

\n

Step 2: Extract tgz via cmd or from the available tool to a location of your choice:

\n
tar -xvzf kafka_2.12-2.4.1.tgz
\n

Step 3: Copy the path of the Kafka folder. Now go to config inside Kafka folder and open zookeeper.properties file. Copy the path against the field dataDir and add /zookeeper-data to the path.

\n

\n \n \n \nStep 4: we have to modify the config/server.properties file. Below is the change:

\n
fileslog.dirs=C:\\kafka\\kafka-logs
\n

Basically, we are pointing the log.dirs to the new folder /data/kafka.

\n

Run Kafka Server:

\n

Step 1: Kafka requires Zookeeper to run. Basically, Kafka uses Zookeeper to manage the entire cluster and various brokers. Therefore, a running instance of Zookeeper is a prerequisite to Kafka.

\n

To start Zookeeper, we can open a PowerShell prompt and execute the below command:

\n
.\\bin\\windows\\zookeeper-server-start.bat .\\config\\zookeeper.properties
\n

If the command is successful, Zookeeper will start on port 2181.

\n

Step 2: Now open another command prompt and change the directory to the kafka folder. Run kafka server using the command:

\n
.\\bin\\windows\\kafka-server-start.bat .\\config\\server.properties
\n

Now your Kafka Server is up and running, you can create topics to store messages. Also, we can produce or consume data directly from the command prompt.

\n

Create a Kafka Topic:

\n
    \n
  1. Open a new command prompt in the location C:\\kafka\\bin\\windows.
    2. \n
  2. Run the following command:
    3. \n
\n
kafka-topics.bat --create --zookeeper localhost:2181 --replication-factor 1 --partitions 1 --topic test
\n

Creating Kafka Producer:

\n
    \n
  1. Open a new command prompt in the location C:\\kafka\\bin\\windows
    2. \n
  2. Run the following command:
    3. \n
\n
kafka-console-producer.bat --broker-list localhost:9092 --topic test
\n

Creating Kafka Consumer:

\n
    \n
  1. Open a new command prompt in the location C:\\kafka\\bin\\windows.
    2. \n
  2. Run the following command:
    3. \n
\n
kafka-console-consumer.bat --bootstrap-server localhost:9092 --topic test --from-beginning
\n

If you see these messages on consumer console,Congratulations!!! you all done. Then you can play with producer and consumer terminal bypassing some Kafka messages.

\n","frontmatter":{"date":"August 25, 2020","updated_date":null,"description":null,"title":"Setting Up and Running Apache Kafka on Windows OS","tags":["Kafka","Windows"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/cf0f7f91117e9c259a3ad57b67a89c15/ee604/messagelog.png","srcSet":"/static/cf0f7f91117e9c259a3ad57b67a89c15/69585/messagelog.png 200w,\n/static/cf0f7f91117e9c259a3ad57b67a89c15/497c6/messagelog.png 400w,\n/static/cf0f7f91117e9c259a3ad57b67a89c15/ee604/messagelog.png 800w,\n/static/cf0f7f91117e9c259a3ad57b67a89c15/f3583/messagelog.png 1200w,\n/static/cf0f7f91117e9c259a3ad57b67a89c15/5707d/messagelog.png 1600w,\n/static/cf0f7f91117e9c259a3ad57b67a89c15/7ddcb/messagelog.png 2700w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Ashish Sharma","github":"ashish8947","avatar":null}}}},{"node":{"excerpt":"Getting Started with OAuth 2.0 OAuth has been a jargon for quite some time now and it is difficult for a beginner to learn it, not because…","fields":{"slug":"/engineering/oauth2/"},"html":"

Getting Started with OAuth 2.0

\n

OAuth has been a jargon for quite some time now and it is difficult for a beginner to learn it, not because OAuth is hard, but because of the confusing facts found about OAuth on the web. So I wrote this article to explain why and how OAuth is used in very simple terms.

\n

Let’s start with the basics: OAuth stands for Open Authorization. It’s a process through which an application or website can access private data from another website.\nIt provides applications the ability for “secure designated access.” For example, you can tell Google that it’s OK for abc.com to access your google account or contact without having to give abc.com your google password.

\n

OAuth never share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.

\n

Now Let’s have a look at OAuth 2.0 Terminology.

\n\n

We have a pretty good understanding of OAuth 2.0 and Terminology, let’s move further and discuss the OAuth grant type that is widely used in this protocol.

\n

In total, there are five different grant type flows defined and described to perform authorizations tasks. Those are

\n\n

Authorization Code Grant

\n

The Authorization Code Grant Type is the most commonly used grant type.

\n

\n \n \n

\n

The Story: A user tries to log in on abc.com but he can’t remember his password and he discovers an option to sign in with google, by clicking on this, the user will easily get logged using google account.

\n

Flow

\n

The client redirects the user to the authorization server having the following parameters in the query string.

\n

Step 1

\n\n

After successful authentication, the user will be redirected to the Consent screen where he needs to provide consent to abc.com to access the account detail.\nAuthorization code is generated by the authorization server and sent back to the client with redirect Uri.

\n

Step 2\nThe client will now send a POST request to the authorization server with the following parameters:

\n\n

In the entire flow, the access token is never exposed to a web browser.

\n

Implicit Grant

\n

The Implicit flow was a simplified OAuth flow previously recommended for client-side applications like JavaScript apps where the access token was returned immediately without an extra authorization code exchange step.

\n

\n \n \n

\n

The Story: In this flow abc.com directly get access token without an extra authorization code exchange steps and able to access resources on a resource server

\n

Flow

\n

The client will redirect the user to the authorization server with the following parameters in the query string:

\n\n

It is not recommended to use the implicit flow (and some servers prohibit this flow entirely) due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client.

\n

Resource Owner Credentials Grant

\n

The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as a highly privileged application. The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.

\n

This grant type is suitable for clients capable of obtaining the resource owner’s credentials (username and password, typically using an interactive form). It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token.

\n

Flow

\n

The client will ask the user for their authorization credentials (usually a username and password).\nThe client then sends a POST request with following body parameters to the authorization server:

\n\n

Client Credentials Grant

\n

Using this flow the client can request an access token using only its client credentials (or other supported means of authentication).

\n

\n \n \n

\n

The Story: The client application presents its client credentials (client identifier and client secret) to the authorization server requesting approval to access the protected resource (owned by the client application) on the resource server.\nThe authorization server authenticates the client credential and issues an access token.

\n

Flow

\n

The client sends a POST request with following body parameters to the authorization server:

\n\n

Refresh Token Grant

\n

Access tokens eventually expire, however, some grants respond with a refresh token which enables the client to refresh the access token.

\n

Flow

\n

The client sends a POST request with following body parameters to the authorization server:

\n\n

Conclusion

\n

I hope you got an idea of how OAuth works and why it is needed. Now it’s time for you to go explore, find out more about the OAuth flow and implement it into your application.\nGood Luck and have fun! Thank you for following this article and hope it helped you! Please do buzz me if you want any help: indrasen.kumar@loginradius.com

\n","frontmatter":{"date":"August 24, 2020","updated_date":null,"description":"Using this blog one can easily understand the basic concept of Oauth 2.0","title":"Getting Started with OAuth 2.0","tags":["Engineering","Oauth","Authentication"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.7699115044247788,"src":"/static/e6413c80a3d38d63b14543319d3c54dd/ee604/oauth2.png","srcSet":"/static/e6413c80a3d38d63b14543319d3c54dd/69585/oauth2.png 200w,\n/static/e6413c80a3d38d63b14543319d3c54dd/497c6/oauth2.png 400w,\n/static/e6413c80a3d38d63b14543319d3c54dd/ee604/oauth2.png 800w,\n/static/e6413c80a3d38d63b14543319d3c54dd/40ffe/oauth2.png 960w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Indrasen Kumar","github":"indrasen715","avatar":null}}}},{"node":{"excerpt":"What is the Rest API? RESTful programming provides stateless and a uniform interface, Rest API is HTTP-based URLs that hide the back-end…","fields":{"slug":"/engineering/best-practice-guide-for-rest-api-security/"},"html":"

What is the Rest API?

\n

RESTful programming provides stateless and a uniform interface, Rest API is HTTP-based URLs that hide the back-end infrastructure from the user. Rest APIs provide the back end for modern web and mobile applications.

\n

Why is API security important?

\n

Rest APIs are the most important layer in the back-end infrastructure for most modern applications. Cybercriminals are increasingly targeting APIs. Ensuring web API security is the most important and crucial. Let’s see what you can do to ensure REST API security.

\n

Common Security Vulnerabilities & Mistakes and Best Practices to Secure REST APIs

\n

Always Use HTTPS

\n

API security start with Http Connection. All requests from clients to your API should be encrypted (HTTPS). Unfortunately, many client HTTP do not enable HTTPS/secure connections by default it’s necessary to enforce that from the server. When Clients who attempt to connect via HTTP should forcefully be redirected to secure HTTPS connections.

\n

You can use HTTP Strict Transport Security security header enforcing Https for web and You can return error for API in case Rest API call on HTTP

\n

You can get a free certificate with Let's Encrypt. SSL provides security from basic API vulnerabilities with almost minimal effort

\n

Distributed Denial of Service Attacks (DDoS)

\n

A Distributed Denial of Service (DDoS) is a targeted cyber attack on a web site or device where a malicious attacker flood of traffic is sent from single or multiple sources. the main purpose of DDos is to make a machine or network resource unavailable to its genuine users by temporarily or disrupting services of a host connected to the Internet. if we are not using appropriate security practice or tools then it makes RESTful API into a non-functional situation.

\n
How to Prevent or Stop DDoS Attacks
\n

API DoS attacks are more common these days. Rest APIs utilizations also increasing day-by-day. The organization's dependency is increasing day-by-day because of business needed a unified platform. An attacker can use multiple ways for the DDoS attack so as developer or security engineer you need to implement long-term solution not a temporary

\n
Rate Limit
\n

Attackers can make so many repeated calls on the APIs. it can make resources unavailable to its genuine users. A rate limit is the number of API calls an app or user can make within a given period. When this limit is exceeded, block API access temporarily and return the 429 (too many requests) HTTP error code.

\n

I m adding node js examples to implement the rate limit. multiple npm packages are available for node js

\n

NodeJs

\n
import rateLimit from 'express-rate-limit';\n\nexport const apiRatelimit = rateLimit({\n  windowMs: 60 * 60 * 1000, // 1 hrs in milliseconds\n  max: 100,\n  message: 'You have exceeded the 100 requests in 1 hrs limit!', \n  headers: true, // it will add X-RateLimit-Limit , X-RateLimit-Remaining and Retry-After Headers in the request \n});\n\n//  you can add this in the middleware. it will apply rate limit for the all requests \napp.use(apiRatelimit);
\n
Passive cache
\n

Active cache means if the service first attempts to read from the cache backend and falls back to reading from the actual source. The service is not dependent or requesting the data from the actual upstream server. a cache backend is a key-value store (e.g. Redis) or In-Memory cache and the actual source of data is an SQL, MongoDB, etc.

\n

Passive cache architecture ensures high volume traffic never hit to actual server or service.

\n

I m adding node js examples to implement the passive cache. multiple npm packages are available for node js

\n

NodeJs

\n
import nodeCache from "node-cache";\n\nconst myCache = new nodeCache();\n\n// set object in the cache \n\nobj = { userid: 909887, name: "example" };\n\nsuccess = myCache.set( "userKey", obj, 600 ); // ttl is 600 seconds \n\n\n//read object from the cache \nvalue = myCache.get( "userKey" );\nif ( value == undefined ){\n\t// handle miss!\n}
\n

Sensitive Data Exposure

\n

Sensitive data exposure happens when an application, organization, or other entity unable to properly secure sensitive data. It is different from a data breach, it includes personal information, tokens, etc. We can make sure sensitive data security using
\nmultiple ways which include encryption at rest or in transit and masking

\n

Cross-Site Scripting

\n

Cross-Site Scripting (XSS) attacks are a type of injection, in which attacker aims to execute malicious scripts in a web browser of the victim. an attacker can transfer untrusted data into the API as part of a query or command.which can result in an attacker obtaining unauthorized access to information or carry out other damages.

\n
How to Prevent or Stop Cross-Site Scripting (XSS) Attack
\n
1.Filter input on arrival:
\n

At the point where user input is received, filter as strictly as possible based on what is expected or valid input.

\n
2. Use appropriate response headers:
\n

To prevent XSS in HTTP responses that aren't intended to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in the way you intend.

\n

If you want to know more details about the security headers. Please go to Security Headers

\n
3. Use Content Security Policy:
\n

As a last line of defense against attackers, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.

\n

Node js we can use xss-clean package. This dependency will prevent users from inserting HTML & Scripts on input.

\n

NodeJs

\n
import xssClean from "xss-clean";\n\n// Use this as middleare \napp.use(xssClean())
\n

Insufficient Logging and Monitoring

\n

We can discover suspicious activity using proper logging and monitoring. When We have insufficient logging and monitoring in that case sometimes we can miss some system access or user activity logs, a step of the particular activity and security alerts.

\n
Logging and Monitoring
\n

A lot of logging and monitoring tools are available. We can choose the best tools as per our requirement also we can define some policies like data retention policy that includes how far backlogs will be kept. Instrument your API access actions to record key metrics and events. Keep logs indexable and searchable.

\n

Give Limited Access

\n

Each API should limit access, API only able to perform what tasks they need to do. We can do this with Role-Based Access, separate read/write API Keys, OAuth Scopes, and permissions systems. This minimizes the chances that you’ll accidentally expose a sensitive field.

\n

Security Reports

\n

Sometimes, people find security vulnerabilities, and they would like to report them so the vendor or the developer can fix them. you must have a public contact point where security issues can be reported.

\n

We can create a security.txt file on the site. security.txt is a proposed standard for websites' security information that will allow security researchers to easily report security vulnerabilities. The \"security.txt\" that is similar to robots.txt. security.txt files have been adopted by Google, GitHub, LinkedIn, and Facebook

\n

You can easily create secuirty.txt file using the securitytxt.org

\n

Summary

\n

Now days lot of data breaches are happing. We can save mostly data breaches after following some basic security guidelines.You have to pay attention to security during Rest API development. I have covered most of the general Rest API security issues with resolution. these guidelines will help you for developing more secure and quality REST API service.

\n","frontmatter":{"date":"August 20, 2020","updated_date":null,"description":null,"title":"Best Practice Guide For Rest API Security | LoginRadius","tags":["RestAPI","Rest API","Rest API Security","Best Practice","Rest API Developer Guide","Security"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.7699115044247788,"src":"/static/0fa4b802f45fe1aadfd22a6700b780f7/14b42/index.jpg","srcSet":"/static/0fa4b802f45fe1aadfd22a6700b780f7/f836f/index.jpg 200w,\n/static/0fa4b802f45fe1aadfd22a6700b780f7/2244e/index.jpg 400w,\n/static/0fa4b802f45fe1aadfd22a6700b780f7/14b42/index.jpg 800w,\n/static/0fa4b802f45fe1aadfd22a6700b780f7/47498/index.jpg 1200w,\n/static/0fa4b802f45fe1aadfd22a6700b780f7/0e329/index.jpg 1600w,\n/static/0fa4b802f45fe1aadfd22a6700b780f7/d8255/index.jpg 1920w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Vijay Singh Shekhawat","github":"code-vj","avatar":null}}}},{"node":{"excerpt":"In this blog we will learn how to create our own webpack configuration to bundle a small JavaScript utility library using webpack and babel…","fields":{"slug":"/engineering/write-a-javascript-library-using-webpack-and-babel/"},"html":"

In this blog we will learn how to create our own webpack configuration to bundle a small JavaScript utility library using webpack and babel.

\n

This blog will be divided into two parts:

\n\n

Let's create the source code for our library. For that we will be create two utility functions into two separate files in our source folder.

\n

Step 1 : Create a directory demo and run following command in it.

\n
  $ npm init -y
\n

The above command will create a package.json in your project root. I am using a --y to initialize it with default options.

\n

Directory Structure

\n
demo\n  |-- src/\n  |-- package.json
\n

Step 2: Adding our source code.

\n

Let's add our source code into src directory:

\n
src\n |--index.js\n |--capital.js\n |--addDOMContent.js
\n

Our utility library contains two functions capital, to capitalize a string and addDOMContent, to add content to a web page, each in it's own module.

\n

capital.js

\n
function capital(string) {\n  const capitalizedString =\n    string.substring(0, 1).toUpperCase() + string.substring(1)\n  return capitalizedString\n}\n\nexport default capital
\n

addDOMContent.js

\n
function addDOMContent(content) {\n  const node = document.createElement("h1")\n  node.innerText = content\n  document.body.appendChild(node)\n}\n\nexport default addDOMContent
\n

Inside our index.js, we will import these two functions.

\n

index.js

\n
import capital from "./capital"\nimport addDOMContent from "./addDOMContent"\n\nexport { capital, addDOMContent }
\n

So far we got the source code ready but we still need to bundle it so that the browsers can understand and oh boy!, we need to support some older browsers too 🙄. Anyway, being responsible developers we are going to do that 😎.

\n

Step 3: Let's install some of our project dev dependencies as they are only needed during development.

\n
 $ npm i --save-dev webpack webpack-cli @babel/core @babel/preset-env babel-loader
\n

We need webpack to bundle our code and webpack-cli is a command-line tool that uses webpack to do the same. Also webpack requires babel-loader to transpile our ES6 code to ES5 before bundling (Remember, what I said about being responsible developers 😃).

\n

Step 4: Now let's get our webpack and babel configuration in place. (We are almost there)

\n

4.1. Create a webpack.config.js at the root of the project.

\n

webpack.config.js

\n
const path = require("path")\n\nmodule.exports = {\n  entry: path.resolve(__dirname, "src/index.js"),\n  output: {\n    path: path.resolve(__dirname, "dist"),\n    filename: "index_bundle.js",\n    library: "$",\n    libraryTarget: "umd",\n  },\n  module: {\n    rules: [\n      {\n        test: /\\.(js)$/,\n        exclude: /node_modules/,\n        use: "babel-loader",\n      },\n    ],\n  },\n  mode: "development",\n}
\n

There are a couple of things we need to understand about webpack configuration. Stay with me for a couple more minutes.

\n\n

.babelrc

\n
{\n  presets: ["@babel/preset-env"]\n}
\n

@babel/preset-env let's us use the latest Javascript without any polyfills and syntax transforms.babel-loader uses babel under the hood.

\n

By Now our Project Structure should look like this:

\n
demo\n|-- src\n|   |-- index.js\n|   |-- capital.js\n|   |-- addDOMContent.js\n|-- webpack.config.js\n|-- .babelrc\n|-- package.json\n|-- node_modules
\n

Step 5: One last step. I know I keep saying that but I promise this is last 😬.

\n

We have added our source files, now let's add an npm script to build final code using webpack and modify the main property inside our package.json to point it to our bundled code.

\n

package.json

\n
{\n  "name": "demo",\n  "version": "1.0.0",\n  "description": "",\n+  "main": "dist/index_bundle.js",\n+  "scripts": {\n+    "build": "webpack"\n+  },\n  "keywords": [],\n  "author": "Hridayesh Sharma",\n  "license": "ISC",\n  "dependencies": {},\n  "devDependencies": {\n    "@babel/core": "^7.10.4",\n    "@babel/preset-env": "^7.11.0",\n    "babel-loader": "^8.1.0",\n    "webpack": "^4.44.1",\n    "webpack-cli": "^3.3.12",\n  }\n}
\n

In package.json the main property is a direction to the entry point of the module that the package.json is describing.

\n

Hurray! We have finally created our utility library using ES6.🥳

\n

Run $npm run build to generate the bundled code and use it in the next step.

\n

Let's test our library now.

\n

index.html

\n
<!DOCTYPE html>\n<html lang="en">\n  <head>\n    <meta charset="UTF-8" />\n    <meta name="viewport" content="width=device-width, initial-scale=1.0" />\n    <title>Demo</title>\n  </head>\n  <body>\n    <script src="dist/index_bundle.js"></script>\n    <script>\n      console.log($)\n      alert($.capital("hridayesh"))\n      $.addDOMContent("Well It Works Fine!!!")\n    </script>\n  </body>\n</html>
\n

Save it and run it in your browser. You will see the name capitalized.

\n

The complete code is available at LoginRadius Engineering Blog Sample Repo

\n

Thanks for reading the blog. For detailed information and execution example of this blog, please refer to the video below:

\n\n","frontmatter":{"date":"August 18, 2020","updated_date":null,"description":"Writing your own webpack configuration for a JavaScript library in ES6 and learn webpack along the way.","title":"Let's Write a JavaScript Library in ES6 using Webpack and Babel","tags":["JavaScript","Webpack","NodeJs"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/4a7d7b651d2d5406780c786320c2b664/ee604/cover.png","srcSet":"/static/4a7d7b651d2d5406780c786320c2b664/69585/cover.png 200w,\n/static/4a7d7b651d2d5406780c786320c2b664/497c6/cover.png 400w,\n/static/4a7d7b651d2d5406780c786320c2b664/ee604/cover.png 800w,\n/static/4a7d7b651d2d5406780c786320c2b664/a8378/cover.png 1024w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Hridayesh Sharma","github":"vyasriday","avatar":null}}}},{"node":{"excerpt":"Every Web Developer should know about cross-domain security While working in the world of the internet, all of the complex systems are…","fields":{"slug":"/engineering/cross-domain-security/"},"html":"

Every Web Developer should know about cross-domain security

\n

While working in the world of the internet, all of the complex systems are interconnected in a shareable environment. But exposing systems in the outer world will invite security vulnerabilities and data breach for the organization. Cross-domain security address this security threat by enabling information sharing in more reliable and secure environments. Cross-domain security is an inclusive approach to defending against all kinds of threats to data connections at the boundaries of sensitive or classified networks.

\n

The Major Concepts of Security

\n

100% Security doesn’t exists.

\n

There is no way of being 100% protected from being hacked. If anyone ever tells you that, they are wrong.

\n

Single layer of protection isn’t enough.

\n

You can’t just say…

\n
\n

\"Oh, because I even have CSP implemented, I am safe. I can cross out cross-site scripting from my vulnerabilities list because that can’t happen now.\"

\n
\n

Maybe that is a given to some, but it is easy to find yourself thinking in this manner. In my opinion one reason that programmers can easily find themselves thinking this way is because so much of coding is black and white, 0 or 1, true or false. Security is not that so simple.

\n

Cross-Origin Resource Sharing (CORS)

\n

Have you ever gotten an error that looked something like this?

\n
No 'Access-Control-Allow-Origin' header is available on the requested resource. Origin 'null' is therefore not allowed access.
\n

You are certainly not alone. And then you Google it, and someone tells you to urge this extension which will make all of your problems go away!

\n
\n

Awesome, right?

\n
\n

CORS is there to protect you, not hurt you!

\n

In order to explain how CORS helps you, let’s starts about cookies, specifically authentication cookies. Authentication cookies are wont to tell a server that you are simply logged in, and that they are automatically sent with any request you make to that server.

\n
\n

Let’s think you’re logged in to yahoo, and they use authentication cookies. You click on bit.ly/r43nugi which redirects you to cryptoearn. A script within cryptoearn makes a client-side request to yahoo.com which sends your authentication cookie!

\n
\n

In a no-CORS world, they might make changes to your account without you even knowing. Until, obiviously , they post bit.ly/r43nugi on your timeline, and everyone of your relative orfriends click on thereon, and then the cycle continues in an evil breadth-first scheme that conquers all of yahoo’s users, and the world is consumed by cryptoearn. ?

\n

In CORS world, however, yahoo would only allow requests with an origin of yahoo.com to edit data on their server. In other words, they might limit cross-origin resource sharing. You might then ask…

\n
\n

Well can cryptoearn just change the origin header on their request, so that it looks like it is coming from *yahoo.com?*

\n
\n

They will try, but it won’t work because the browser will just ignore it and use the actual origin.

\n
\n

Ok, but what if cryptoearn made the request server-side?

\n
\n

In this case, they can bypass CORS, but they can't crack this because they won’t be ready to send your authentication cookie along for the ride. The script should be executed on the client side to urge access to your client side cookies.

\n

What is a security Policy?

\n
\n

Servers are generally host web sites, applications, images, fonts, and many more. When you use any browser, you are likely attempting to access a definite website (that is hosted on a server). Websites often request these hosted resources from different locations (servers) on the web. Security policies on servers mitigate the risks associated with requesting assets hosted on distinct server. Let’s take a glance at an example of a security policy: same-origin.\nThe **same-origin *policy is very restrictive. Under this policy, a document (i.e., sort of a web page) hosted on server A can only interact with other documents that also are on server A. In short, the same-origin policy enforces that documents that interact with one another have the same *origin.

\n
\n

The CORS standards manage cross-origin requests by adding a new HTTP headers to the standard list of headers. The following are the new HTTP headers added by the CORS standard:

\n\n

Content Security Policy (CSP)

\n

To dig in to CSP, we first need to talk about one of the most common vulnerabilities on the web: XSS, which means cross-site scripting.

\n

XSS is when some evil guy injects JavaScript into your client-side code. You might think…

\n
\n

What are they going to do? Change a color from red to blue?

\n
\n

Let’s think of someone has successfully injected JavaScript into client-side code of a website you are visiting.

\n

What could they do that would be malicious?

\n\n

The possibilities are endless.

\n

CSP is something prevent this from happening by limiting:

\n\n

Whenever you click on a link or type a website URL in the address bar of your internet browser, your browser makes a GET request. It eventually makes its way to a server which serves up HTML along with HTTP headers. for more details about what headers, open up the Network tab in your console, and visit some sites.

\n

You might see a response header that looks like below:

\n
content-security-policy: default-src * data: blob:;script-src *.yahoo.com *.fbcdn.net *.yahoo.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' *.atlassolutions.com blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.yahoo.com yahoo.com *.fbcdn.net *.yahoo.net *.spotilocal.com:* wss://*.yahoo.com:* https://fb.scanandcleanlocal.com:* *.atlassolutions.com attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' chrome-extension://boadgeojelhgndaghljhdicfkmllpafd chrome-extension://dliochdbjfkdbacpmhlcpmleaejidimm;
\n

That is the content security policy of yahoo.com. Let’s reformat it to make it easier to read:

\n
content-security-policy:\ndefault-src * data: blob:;\n\nscript-src *.yahoo.com *.fbcdn.net *.yahoo.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' *.atlassolutions.com blob: data: 'self';\n\nstyle-src data: blob: 'unsafe-inline' *;\n\nconnect-src *.yahoo.com yahoo.com *.fbcdn.net *.yahoo.net *.spotilocal.com:* wss://*.yahoo.com:* https://fb.scanandcleanlocal.com:* *.atlassolutions.com attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' chrome-extension://boadgeojelhgndaghljhdicfkmllpafd chrome-extension://dliochdbjfkdbacpmhlcpmleaejidimm;
\n

Now, let’s break down the directives.

\n\n

Note: there are many more CSP directives than just these four shown above. The internet browser will read the CSP header and apply those directives to everything within the HTML file that was served. If the directives are set correctly, they allow only what is required.

\n

If there is no CSP header is present, then everything goes, and nothing is restricted. Everywhere you see * , that is a wildcard. You can think of replacing * with anything and it will be allowed.

\n

Conclusion

\n

Security is something that should be important to everyone, not just the people who have it explicitly named in their job title, and always try to have additional layer for better security.

\n","frontmatter":{"date":"August 16, 2020","updated_date":null,"description":"Cross domain security address security threat by enabling the information sharing in more reliable and secure environments. Cross domain security is an inclusive approach to defending against all kind of threats to data connections at the boundaries of sensitive or classified networks.","title":"Cross Domain Security","tags":["Security","Web Security","Cross-Domain"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/790cea1b5ac8ae81febf53547ae0d319/ee604/cross_domain_security.png","srcSet":"/static/790cea1b5ac8ae81febf53547ae0d319/69585/cross_domain_security.png 200w,\n/static/790cea1b5ac8ae81febf53547ae0d319/497c6/cross_domain_security.png 400w,\n/static/790cea1b5ac8ae81febf53547ae0d319/ee604/cross_domain_security.png 800w,\n/static/790cea1b5ac8ae81febf53547ae0d319/f3583/cross_domain_security.png 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Abhimanyu Singh Rathore","github":"abhir9","avatar":null}}}}]},"markdownRemark":{"excerpt":"Identity is evolving, and developers are at the forefront of this transformation. Every day brings a new learning—adapting to new standards…","fields":{"slug":"/identity/developer-first-identity-provider-loginradius/"},"html":"

Identity is evolving, and developers are at the forefront of this transformation. Every day brings a new learning—adapting to new standards and refining approaches to building secure, seamless experiences.

\n

We’re here to support developers on that journey. We know how important simplicity, efficiency, and well-structured documentation are when working with identity and access management solutions. That’s why we’ve redesigned the LoginRadius website—to be faster, more intuitive, and developer-first in every way.

\n

The goal? Having them spend less time searching and more time building.

\n

What’s New and Improved on the LoginRadius Website?

\n

LoginRadius’ vision is to give developers a product that simplifies identity management so they can focus on building, deploying, and scaling their applications. To enhance this experience, we’ve spent the last few months redesigning our interface— making navigation more intuitive and reassuring that essential resources are easily accessible.

\n

Here’s a closer look at what’s new and why it’s important:

\n

A Developer-Friendly Dark Theme

\n

\"This

\n

Developers spend long hours working in dark-themed IDEs and terminals, so we’ve designed the LoginRadius experience to be developer-friendly and align with that preference.

\n

The new dark mode reduces eye strain, enhances readability, and provides a seamless transition between a coding environment and our platform. Our new design features a clean, modern aesthetic with a consistent color scheme and Barlow typography, ensuring better readability. High-quality graphics and icons are thoughtfully placed to enhance the content without adding visual clutter.

\n

So, whether you’re navigating our API docs or configuring authentication into your system, our improved interface will make those extended development hours more comfortable and efficient.

\n

Clear Categorization for LoginRadius Capabilities

\n

\"This

\n

We’ve restructured our website to provide a straightforward breakdown of our customer identity and access management platform capabilities, helping you quickly find what you need:

\n\n

This structured layout ensures you can quickly understand each capability and how it integrates into your identity ecosystem.

\n

Developer-First Navigation

\n

\"This

\n

We’ve been analyzing developer workflows to identify how you access key resources. That’s why we redesigned our navigation with one goal in mind: to reduce clicks and make essential resources readily available.

\n

The new LoginRadius structure puts APIs, SDKs, and integration guides right at the menu bar under the Developers dropdown so you can get started faster. Our Products, Solutions, and Customer Services are also clearly categorized, helping development teams quickly find the right tools and make informed decisions.

\n

Quick Understanding of Integration Benefits

\n

\"This

\n

Developers now have a clear view of the tech stack available with LoginRadius, designed to support diverse business needs.

\n

Our platform offers pre-built SDKs for Node.js, Python, Java, and more, making CIAM integration seamless across popular programming languages and frameworks.

\n

Over to You Now!

\n

Check out our revamped LoginRadius website and see how the improved experience makes it easier to build, scale, and secure your applications.

\n

Do not forget to explore the improved navigation and API documentation, and get started with our free trial today. We’re excited to see what you’ll build with LoginRadius!

\n","frontmatter":{"date":"February 21, 2025","updated_date":null,"description":"LoginRadius’ vision is to give developers a product that simplifies identity management so they can focus on building, deploying, and scaling their applications. To enhance this experience, we’ve redesigned our website interface, making navigation more intuitive and reassuring that essential resources are easily accessible.","title":"Revamped & Ready: Introducing the New Developer-First LoginRadius Website","tags":["Developer tools","API","Identity Management","User Authentication"],"pinned":true,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.7857142857142858,"src":"/static/80b4e4fbe176a10a327d273504607f32/58556/hero-section.webp","srcSet":"/static/80b4e4fbe176a10a327d273504607f32/61e93/hero-section.webp 200w,\n/static/80b4e4fbe176a10a327d273504607f32/1f5c5/hero-section.webp 400w,\n/static/80b4e4fbe176a10a327d273504607f32/58556/hero-section.webp 800w,\n/static/80b4e4fbe176a10a327d273504607f32/99238/hero-section.webp 1200w,\n/static/80b4e4fbe176a10a327d273504607f32/7c22d/hero-section.webp 1600w,\n/static/80b4e4fbe176a10a327d273504607f32/1258b/hero-section.webp 2732w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Rakesh Soni","github":"oyesoni","avatar":"rakesh-soni.jpg"}}}},"pageContext":{"limit":6,"skip":732,"currentPage":123,"type":"///","numPages":161,"pinned":"ee8a4479-3471-53b1-bf62-d0d8dc3faaeb"}},"staticQueryHashes":["1171199041","1384082988","2100481360","23180105","528864852"]}