Questions tagged [microservices]
The microservices tag has no usage guidance.
17 questions
1
vote
1
answer
60
views
Encrypted ids to break inter-service dependencies
Let say I have “transactions” and “users” services managing transactions and users data respectively. Transaction record only has sender user id, but on display I want to show sender’s email. I also ...
- 113
0
votes
0
answers
78
views
OAuth2 System Design for Single Sign-On | Auto-Detect Session?
I'm working on configuring my suite of services (in different domains) so that they can all be accessed via Single Sign-On. I'm using AWS Cognito as a wrapper around a SAML Idp (Azure AD).
What I ...
1
vote
2
answers
225
views
Weak password hash + strong rate limiter = secure?
I have a microservice which sole purpose is to serve as a cache for other microservices. The point of the cache is to speed up processing, but the strong password hash algo counter that purpose. (...
- 13
0
votes
0
answers
114
views
Security Risks with Event Streaming
At a high level based on the technology of event store and streaming (i.e. Apache Kafka, Amazon Kinesis, etc.) to decouple systems and make them event driven systems. I was wondering what new ...
- 756
1
vote
1
answer
340
views
Can the services inside the VPC be authentication less?
We have a micro-services architecture, where many microservers need to talk to each other for data.
These services are inside a VPC.
I need to understand if the HTTP APIs of these microservices need ...
2
votes
2
answers
240
views
Error code prefixes specific to specific micro services a vulnerability?
If your microservice architecture responds with error codes revealing which microservice had an error, doesn’t this reveal to the caller information on how your microservice architecture is designed?
...
- 121
1
vote
1
answer
2k
views
Setting httponly secure cookies in microservice architecture
I have read that storing the jwt token within the httponly secure cookie is the recommended way to prevent both csrf attacks and xss attacks.
When a user goes to my website they may make an api call ...
- 13
2
votes
2
answers
358
views
Access Control for REST APIs - OWASP recommendation
OWASP states:
Non-public REST services must perform access control at each API
endpoint. Web services in monolithic applications implement this by
means of user authentication, authorisation logic ...
- 121
2
votes
0
answers
107
views
Assuming secure code practices are adhered to, is a thousand-tier/n-tier microservices application or a monolithic application more secure? [closed]
Assuming secure code practices are all adhered to for both applications, is a thousand-tier/n-tier microservices application or a monolithic application more secure?
From a monitoring, visibility ...
- 1,073
1
vote
0
answers
62
views
A single microservice (e.g., a spring boot jar) can be dependent on more than 100 libraries - how to ensure that none of these are compromised? [duplicate]
It took only one DLL, the SolarWinds.Orion.Core.BusinessLayer.dll, to bring so many companies to the knees. To be more precise, just a couple lines of code in the single DLL.
In today's cloud-native ...
- 1,073
3
votes
1
answer
3k
views
Propagating user context between microservices secured with M2M JWT tokens
We have a current microservice architecture where we secure communication between microservices via Machine-To-Machine access tokens (these tokens are obtained using the Client Credentials grant flow)....
- 151
0
votes
1
answer
347
views
In Microservice Architecture, how to secure inter service to service
In Microservice architecture, public clients & confidential clients are there
as per API Gateway Pattern, Public clients connecting from Browser to backend reaches it via API Gateway
API Gateway ...
0
votes
0
answers
150
views
How to prevent horizontal escalation attacks when a centralized authorization service as gateway is used?
Say I have a gateway which provides authorization mechanisms by validating a JWT, behind an api-gateway there are different micro-services but only the gateway port is public. As a software designer ...
- 101
1
vote
1
answer
745
views
Disable SSL verification between isolated microservices
I have an internet isolated EC2 instance which is a Ruby client and it is connecting with multiple EC2 servers of mine in the same network having different sub-domain names. These EC2 servers are ...
- 113
1
vote
0
answers
112
views
Generate new AccessToken each time user update his Information
im building a PWA app , where i implemented jwt token to auth users.
i have 2 main architecture problems ,but let me introduce you what im building .
i'm Building application that is all about dog ...
0
votes
1
answer
763
views
Microservice security: How to perform authorization + services also need auth checks individually?
I have the following architecture for accessing a REST service that requires authentication:
Oidc token flow managed at the client
Access token verified at the server in the auth service (proxied ...
- 347
3
votes
1
answer
721
views
Is it necessary to protect the Oauth2 return URL
I am thinking to implement a REST service that needs to call another REST service that is protected by OAuth2.
My service is "always" called server to server by web applications.
The user interacts ...
- 655