Single page application architecture is becoming more prevalent, yet many established patterns to implement authentication security and user experience have not caught up. Patterns used by traditional web applications do not cross over well, or at all, to a true stateless architecture where there is no server-side web session.

The popularity of JSON Web Tokens (JWTs) is well deserved. This fantastic evolution is a building block for solving these problems. As JWTs provide a simple, cryptographically secure means of exchanging information, they make stateless authentication possible. However a building block is just that: a place to start. In going through…


Let’s examine an innocuous looking URL that you may see when you are looking at your order history on some e-commerce site:

https://www.yourfavsite.com/account/orders?orderid=5963

Speaking strictly from an application security perspective, there is no problem here. As long you’ve done your job on the back end checking that the order’s user matches the logged in user, there is no security risk. You can’t look at other users’ orders, and they can’t look at yours.

The problem is that this one URL gives a surprising amount of insight into the underlying data, and therefore the business. Let’s see how.

Leak #1: Overall Business Data Size

If this is…

Peter Locke

Cofounder and CTO @giftbit / @lightrailhq — Builder of business focussed engineering teams and technology strategies.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store