Authentication is only one part of the story. 0:00 You also need to be sure your users are allowed to perform certain actions. 0:03 This is known as authorization, and 0:08 it's mainly about managing permissions for users. 0:10 Why do you need to authorize a user by specifying 0:14 every action they are allowed to perform? 0:17 In this simple case, you could give a user the ability to access your admin panel and 0:20 steal credentials. 0:24 Even worse, 0:26 a user could gain access to the underlying servers on which you run your software. 0:27 This would allow them to steal even more data or use the servers in a botnet. 0:32 The malicious possibilities are endless, and 0:37 it's your job as an informed developer to protect your users and your services. 0:39 When authorizing users to perform actions, you should 0:46 always validate your users' actions, both on the client and on the server. 0:49 Validating actions on the client reduces low hanging fruit for 0:54 less motivated attackers. 0:58 However, client-sided code is much more vulnerable to malicious attacks. 1:00 You should always validate on the server as well. 1:05 When the action is validated on the server, the malicious user 1:08 is required to have access to the code on a web server in some other location. 1:12 Although there may be bugs in the code which would allow access, 1:17 server side code is typically easier to protect. 1:20 If you only validate in one place, always validate on the server. 1:24 Depending on the language in which your application is written, 1:30 there are plenty of existing libraries and 1:33 frameworks that provide some sort of built-in authorization. 1:35 For example, in JavaScript, there are libraries to provide permissions and 1:39 access controls to objects. 1:43 Additionally, you can write custom business logic to prevent certain users 1:46 from performing certain actions by checking their identity 1:50 against the action. 1:54 Finally, for more advanced requirements, 1:56 you can put systems in place that detect unusual user activity. 1:59 As with login activity, by monitoring the number of actions and spacing between 2:03 actions, policies can be enforced that will limit or block certain actions. 2:09 Now, you should have a good idea of the types of tools to look for 2:15 when building your own application. 2:19 Check out the teacher's notes for 2:21 more resources around TLS, authentication, and authorization. 2:22 In the next stage, 2:27 we're going to look at maintaining the security of an application in production. 2:28