my blog. for you.

Let’s talk digital.

I’m an independent IT consultant and entrepreneur in the Internet and software business. I’m interested in design, enterprise applications, web apps and SaaS products. I design and develop business solutions and applications. I help companies in terms of software quality and knowledge transfer, e.g. with Angular and Spring Boot.

API Security Best Practices by Expedited Security

For everyone dealing with web-based APIs, both as a provider and a consumer, web app security service supplier Expedited Security (known for Expedited SSL, among other products) has compiled a vast, extensive compendium on API security best practices. The importance of secure APIs and best practices that help has make APIs more secure and dependable can't be emphasised enough. Covering each possible attack vector and adopting every best practice out there can seem like a truly daunting task. Guides like this one help ... Read more

JSON Web Tokens: Downsides, Best Practices and Secure and Robust Alternatives

JSON Web Tokens (JWTs) nowadays are commonly used for transmitting authentication data in web applications, especially those exhibiting the widespread client-server architecture where you have a fat client / single-page application written in JavaScript as a front-end and a back-end server providing REST endpoints for use by that front-end client. However, while common there are good arguments against this practice. In a nutshell, JWT often are used for storing session data such user authorization and authentication information although they aren't particularly well-suited to ... Read more

HTTP and REST Standards, Protocols and Headers for More Secure and More Robust Applications

Standards.REST is a website that helps you create better, more robust HTTP- and REST-based applications by providing an overview of existing, proven standards that allow you to build on existing solutions rather than re-invent the wheel yourself. The list of standards mentioned includes OAuth 2.0, the HTTP Caching standard and Application-Level Profile Semantics (ALPS), which - among others - is used extensively in Spring Data REST and Spring HATEOAS. On a closely related note, Stefan Judis published an article on HTTP headers ... Read more

OAuth 2.0 Authentication with Jira – A Spring Boot Example Application

When dealing with the specifics of authentication techniques and protocols such as OAuth the devil often is in the detail. While the OAuth 2.0 protocol generally is easy to grasp and simple to use implementation details for specific authentication providers can easily have you hit a snag fairly quickly. Documentation and examples sometimes are outdated or scattered across several - sometimes contradictory documents. Additionally, examples for the authentication provider you want to use might not have been written with your framework of ... Read more

Observatory by Mozilla: Security Checkup for Your Websites and Web Apps

Observatory by Mozilla is a security checkup tool for websites and web apps that both assesses your website in terms of HTTP security measures and best practices and also suggests approaches and techniques for further improving security. Observatory's goal is to provide developers with insights as to their applications' security standards as well as to educate developers about HTTP security options such as the Content Security Policy or HTTP Strict Transport Security headers and the respective standards and policies they implement. Observatory is ... Read more

Security Expert Mario Heiderich About AngularJS and Security

At beyond tellerrand in Düsseldorf this year security expert Mario Heidrich gave a fast-paced - if sometimes too abrasive for my liking - talk about security and AngularJS: This talk contains a lot of useful insights as to what to pay attention to in order to secure your AngularJS applications (or in fact any web application created with a modern JavaScript framework), as well as techniques and approaches security consultants and hackers (both the white and black hat varieties) use in order ... Read more

OpenSSL Heartbleed Bug: Idea For New Password Management Protocol

On 07 April 2014 a very serious OpenSSL bug with the colourful name 'Heartbleed' was disclosed. You can read more about this bug here, here and on the blog of the Chuck Norris of cryptography, Bruce Schneier. You can check here if your website or a service you're using is affected by this bug. Suffice it to say that the consequences are as severe as can be for most of the core services of the Internet. GitHub, Google, Facebook, Dropbox, Evernote, Tumblr, ... Read more