How To Dev

Introduction CSRF (Cross-Site Request Forgery) is a type of attack targeting user sessions. Attackers trick the victim's browser into sending requests (accompanied by identification cookies) to websites where they are logged in without permission. To prevent CSRF, we have 3 main strategies: Method 1 : Check Origin / Referer headers Check if the Origin or Referer header matches the server domain. If they differ, block them immediately at the NextJS Proxy layer before forwarding to the server. Method 2 : Configure SameSite for Cookies When setting cookies for the client, you must set the SameSite=Strict or SameSite=Lax attribute. In this case, if the request originates from a different website, the browser will refuse to attach the Cookie, NextJS receives an empty request and will return a 401 Unauthorized error. Method 3 : Use CSRF Token Require the client to send a Token (generated randomly for each user or using JWT) in the Header. Since a fake site cannot have this token, the out...

Introduction SSO (Single Sign-On) is a centralized authentication mechanism that allows users to access multiple different systems with a single set of login credentials. Key advantages include: Improving user experience by reducing the number of passwords to remember. Enhancing security through centralized management and minimizing the risk of brute-force attacks at various points. Purpose: To enable users to log in only once to one location (Identity Provider - IdP) but be able to access multiple different applications without re-entering their password. Example: You log into your Google account, then open Gmail, YouTube, Drive without logging in again. SAML & SAML2 (Security Assertion Markup Language) SAML 1.0/1.1 were the first versions that laid the foundation for exchanging identity data using XML, but are now obsolete. SAML 2.0 (Saml2) is a strong combination and improvement, supporting modern web scenarios and becoming the most popular standard for SSO in Corporate/Enterpri...