Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
After you authenticate a user, you want to make sure that you don’t allow them to perform actions on your site that they are not allowed to do, or that could negatively impact your service or other users. For this reason, you should always implement proper access control checks and authorize all user actions.
Documentation
Authentication is only
one part of the story.
0:00
You also need to be sure your users
are allowed to perform certain actions.
0:03
This is known as authorization, and
0:08
it's mainly about managing permissions for
users.
0:10
Why do you need to authorize
a user by specifying
0:14
every action they are allowed to perform?
0:17
In this simple case, you could give a user
the ability to access your admin panel and
0:20
steal credentials.
0:24
Even worse,
0:26
a user could gain access to the underlying
servers on which you run your software.
0:27
This would allow them to steal even more
data or use the servers in a botnet.
0:32
The malicious possibilities are endless,
and
0:37
it's your job as an informed developer
to protect your users and your services.
0:39
When authorizing users to perform actions,
you should
0:46
always validate your users' actions,
both on the client and on the server.
0:49
Validating actions on the client
reduces low hanging fruit for
0:54
less motivated attackers.
0:58
However, client-sided code is much
more vulnerable to malicious attacks.
1:00
You should always validate
on the server as well.
1:05
When the action is validated on
the server, the malicious user
1:08
is required to have access to the code
on a web server in some other location.
1:12
Although there may be bugs in
the code which would allow access,
1:17
server side code is
typically easier to protect.
1:20
If you only validate in one place,
always validate on the server.
1:24
Depending on the language in which
your application is written,
1:30
there are plenty of existing libraries and
1:33
frameworks that provide some
sort of built-in authorization.
1:35
For example, in JavaScript, there
are libraries to provide permissions and
1:39
access controls to objects.
1:43
Additionally, you can write custom
business logic to prevent certain users
1:46
from performing certain actions
by checking their identity
1:50
against the action.
1:54
Finally, for more advanced requirements,
1:56
you can put systems in place that
detect unusual user activity.
1:59
As with login activity, by monitoring
the number of actions and spacing between
2:03
actions, policies can be enforced that
will limit or block certain actions.
2:09
Now, you should have a good idea
of the types of tools to look for
2:15
when building your own application.
2:19
Check out the teacher's notes for
2:21
more resources around TLS,
authentication, and authorization.
2:22
In the next stage,
2:27
we're going to look at maintaining the
security of an application in production.
2:28
You need to sign up for Treehouse in order to download course files.
Sign up