Mastodawn

https://www.rhelmer.org/blog/stellar-whiskers-multiplayer-login-system/ is a new-ish blog post I wrote on secure web authentication. I'm using it for multiplayer web-based games. Part 2 of a 3 part series (part 3 next week is about using HPKE for storing PII like real name and email address, let me know if you're interested in reviewing it early!).

Title is "How HttpOnly cookies with CHIPS prevent XSS attacks and cross-site tracking while maintaining seamless authentication across subdomains." ... I believe it also effectively mitigates CSRF but comments welcome of course!

#WebSecurity #InfoSec #WebDev #FullStack #GameDev #IndieDev #BrowserSecurity

Show thread

Frederik Braun �2h ago

@rhelmer yeah, that's a good design :) some nitpicky, notes (scnr)
1) I wouldn't call JWT in localStorage as *vulnerable* to XSS. They are susceptible to exfiltration from an XSS attacker., 2) Partitioned also prevents from cross-oring CSRF attackers :)

Show thread

rhelmer 2h ago

@freddy Thanks! I might ask you for review next time if you don't mind ;)

Show thread

rhelmer

@freddy I will make these edits to the posts later today, thanks!

Show thread

Frederik Braun �2h ago

@rhelmer sure! :)