An overview of some recommended deployment and separation patterns for when implementing security solutions for web and API components. One of the major concerns in software systems is keeping a code base maintainable over time as the amount of logic grows. In recent years it has been a best practice…

It ensures that in the complex mesh of services comprising your API, every party handles requests securely and performs informed authorization decisions. Behind today’s APIs, it’s common to have many services processing a single request. Gone are the days when a monolithic application was exposed directly on the internet and…

A design with a good separation of concerns will perform well. Keep the application security code simple and ensure that security behavior is easy to extend. Companies providing digital services need to secure access to information to protect data that belongs to the organization, its customers and its business partners…

An application is usually an orchestration of several components, requiring more advanced session management than a single instance. A session can be considered as the user’s activity within an application in a given time frame. It starts when the user first interacts with the application and ends when the user…

A no-password approach is better for increased security, but who needs it, and how and when should an organization go passwordless? Passwords remain the default method of user authentication, but the question is for how long? It is becoming more or less an established fact that passwords are insufficient to…

Enable developers to operate in a more business-aligned way with design patterns that enable your company to run the best security everywhere. These days, developer experience (DX) is a term used frequently but is often misunderstood. The truth is that a poor developer setup can negatively affect the time to…

Different tokens have different purposes and should be used appropriately for each use case. When building security solutions using OAuth and OpenID Connect (OIDC), we frequently discuss tokens. Sometimes these systems are even referred to as token-based architectures. Tokens play a core role in authorizing access to applications, services and…

A few years back, I wrote the article “8 Vital OAuth Flows and Powers” for Nordic APIs. Since then, a lot has happened around the OAuth and OpenID specifications. Some flows have been updated, others have been deprecated and some new ones have been added. …

What is the most important lesson we can learn regarding API security? Apart from that, it should be of paramount concern for all modern enterprises, it’s my view that API security should revolve around identity. …