Securing a go REST API - Part 4: CSRF
This is part 4 of a multipart series on how to secure your API in golang. This post will talk about dealing with Cross-Site Request Forgery (CSRF in short), an attack on web applications where the attacker tricks users into performing unintended actions. This attack only works for APIs served to a frontend (e.g. a React application), as it is based on the fact that browsers send the user’s cookies automatically when calling a web page.
Securing a go REST API - Part 3: Passwords, Tokens and Secrets
This is part 3 of a multipart series on how to secure your API in golang. This post will talk about dealing with passwords, tokens and generally secrets. We won’t go into the cryptographic details here and instead focus on the best practices because I want this to be a short and concise guide rather than another blog post about hashes and rainbow tables.
Hash your passwords This post is not going into the details of why you should hash your passwords, but you need to look for mostly two things:
Securing a go REST API - Part 2: Timeouts
This is part 2 of a multipart series on how to secure your API in golang. We covered session management in part 1.
Filippo Valsorda makes an excellent case about exposing your go service. This blogpost will only talk about one little piece of all this, namely timeouts. Timeouts are one of the rare cases where the default values aren’t secure in golang. This is mostly due to historical reasons and maintaining backwards compatibility, however the often used helper methods http.
Securing a go REST API - Part 1: Sessions
This is part 1 of a multipart series on how to secure your API in golang. This series is inspired by this blogpost where they use a token to implement stateless session management. In this part I want to talk about session management in general.
More and more people recommend JWTs (JSON Web Tokens) for session management in web apps. People see different benefits for using them in session management.