🚀 Kit xác thực đầy đủ cho stack MERN (MongoDB, Express, React, Node.js)! Kết hợp JWT + refresh token, xác minh email, đặt lại mật khẩu và bảo mật mạnh mẽ (Helmet, rate limiting, sanitization, CORS). Trang UI đăng ký/dăng nhập/xác nhận/đặt lại đã được xây dựng. #MERN #Authentication #JWT #RefreshToken #Security #VietnameseDev #WebDevelopment
#RefreshToken
I'd like to point out this really interesting article on the topic: 𝐓𝐨𝐤𝐞𝐧 𝐓𝐡𝐞𝐟𝐭 𝐓𝐚𝐥𝐤.
Key points and topics covered:
- Primary Refresh Tokens (PRT) on all operating system platforms have been hardened against theft from day one. The level of protection depends on operated system capabilities, with Windows offering the strongest protection.
- First line of defense against token theft is protecting your devices by deploying endpoint protections, device management, MFA (and moving towards phishing-resistant credentials), and antimalware
You can reduce token theft by carefully orchestrating Entra ID security products:
▶Addressing token theft of sign-in session artifacts: Conditional Access: Token protection policy offers cryptographic protection against replay of stolen tokens.
▶Addressing token theft of app session artifacts: block usage of stolen access tokens and workload cookies outside of your corporate network by using Conditional Access.
▶Detecting token theft: enable risk detections with Microsoft Entra ID Protection to elevate user risk when token theft is suspected.
#microsoft #microsoftsecurity #entraid #azuread #azure #idp #token #tokentheft #cloudsecurity #identity #prt #cookies #identityprotection #mfa #cae #conditionalaccess #refreshtoken #token
Update on #AzureAD Attack & Defense Playbook 🔐☁️:
@samilamppu and I have added new attack scenarios on #RefreshToken replay from our latest research:
- Decrypted HTTPS traffic from #Azure PowerShell
- Replay RT from Edge browser on compliant device
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst