.NET Rocks! Backend for Frontend Security Framework with Erwin van der Valk
8 snips
May 15, 2025 Erwin van der Valk, a Principal Engineer at Duende Software, dives into the intricacies of securing browser-based frontends with ASP.NET Core backends. He shines a light on the Backend for Frontend (BFF) Security Framework, discussing Sam Newman's BFF Pattern to manage diverse clients. The conversation highlights the complexities of OAuth 2.0 in tackling backend security, and Erwin emphasizes the necessity of layered security measures, cookie management, and efficient workflows to protect user identity and enhance application safety.
AI Snips
Chapters
Transcript
Episode notes
Access Tokens Risk in Browsers
- Browser-based apps increase security risk by handling access tokens in the client side.
- Vulnerabilities like cross-site scripting expose tokens to attackers, amplifying attack surface.
Separate Authentication from Authorization
- Authentication identifies who you are, while authorization decides what you can do.
- Authorization often requires policy evaluation beyond identity provider claims.
Use Custom Headers to Block CSRF
- Demand a custom header in BFF server requests to block CSRF attacks.
- Browsers block cross-origin requests without this header, eliminating many attack vectors.