? Should user object be stored in JSON Web Token?

My question is rather simple should we or should we not store a user object in the JWT's payload?For example:WIth user object embedded:{ iss: "https://YOUR_NAMESPACE", user: user, // user object fro
 ? Is getting the API key in the query string secure?

I am making an API and want other users to be able access it. My implementation is to get the API key and API "password" from the query string and use them to identify if the user is a valid user of o
 ? Safe URL Parameter Validation in ASP

I found the following function to parse and validate URL parameters being used in legacy ASP: FOR EACH field IN Request.QueryString var_name = field var_value = Request.QueryString(fi
 ? secure server side language

Looking around the horizon of the web server side, I see that scripted languages like PHP are quite popular, probably due to the speed of development and ease of programming.However scripted languages
 ? X-Frame Options set as "DENY DENY"

In some web applications I have noticed there are to options set for X-Frame options header likeX-Frame-Options: DENY DENY(DENY option should have been wrongly added twice).In this case, will the brow
 ? Simple example for why Same Origin Policy is needed

I've read about Same Origin Policy, but for a better understanding of the matter: could anyone please write a simple code (in any language) that will demonstrate an attack that SOP stops?How was it po
 ? Any logical loop holes in this idea for preventing Cross Site Request Forgery?

I've read several XSRF solutions that rely on adding more tokens to the response, which do help protect code that only runs on POST.i.e. this would be a one step attack relying on a page that responds
 ? Populate username and password on another domain from my domain?

I have received a request, and I cannot find a secure way to implement it. If you know a secure way to do this, please let me know.I'm developing www.abcd.com with ASP.NET MVC. The client already has
 ? How can I disable the same origin policy iframe port restriction in firefox 48?

Firefox 48 has a new security restriction that blocks javascript calls in iframes if the port is different. Is there a way to disable this in about:config or some other setting (basically disable the
 ? "Same origin policy" and scripts loaded from google - a vulnerable solution?

I read the question here in SO "jQuery Linking vs. Download" and I somehow don't get it.What happens if you host a page on http://yourserver.com, but load jQuery library from http://ajax.googleapis.co
 ? Considerations regarding a p2p social network

While the are many social networks in the wild, most rely on data stored on a central site owned by a third party.I'd like to build a solution, where data remains local on member's systems. Think of t
 ? Make authorization with social networks OAuth 2.0 at smartphone app

we are making game for smartphone and want to make social netwok authentication and authorization but met a big problem:we successfully implemented VK.com or Facebook authentification via OAuth 2.0 (c
 ? Make authorization with social networks OAuth 2.0 at smartphone app

we are making game for smartphone and want to make social netwok authentication and authorization but met a big problem:we successfully implemented VK.com or Facebook authentification via OAuth 2.0 (c
 ? Make authorization with social networks OAuth 2.0 at smartphone app

we are making game for smartphone and want to make social netwok authentication and authorization but met a big problem:we successfully implemented VK.com or Facebook authentification via OAuth 2.0 (c
 ? What's the right OAuth 2.0 flow for a mobile app

I am trying to implement delegated authorization in a Web API for mobile apps using OAuth 2.0. According to specification, the implicit grant flow does not support refresh tokens, which means once an
 ? Why I shouldn't keep client_secret in mobile app in OAuth 2.0 (authorization code grant flow)

We've got an app, which should use authentification through 3-rd party OAuth 2.0 server, which acts as an authorization server.As i understand there are two possibilities.The "right" one is:Mobile app

Page 1 of 127  |  Show More Pages:  Top Prev Next Last