This chapter covers
- Avoiding common implementation vulnerabilities in protected resources
- Counting known attacks against protected resources
- Benefiting from modern browser protections when designing a protected resource’s endpoint
In the previous chapter, we reviewed common attacks against OAuth clients. Now it’s time to see how to protect a resource server and defend against common attacks targeting OAuth protected resources. In this chapter, we’re going to learn how to design resource endpoints to minimize the risk of token spoofing and token replay. We’ll also see how we can leverage modern browsers’ protection mechanisms to make the designer’s life easier.