Backend concept

Auth & Access Control

Authentication, authorization, sessions, token scope, CSRF, and object-level access checks.

Practice this concept Review missed items Back to concept map

Why this matters

Auth bugs often expose private data or allow actions that the backend should reject.

How to practice

Separate identity, permission, browser request safety, and ownership checks.

0 active misses 0 reviewed 0 games completed

Local review for this concept

No local review items for this concept yet.

Start a focused review session for Auth & Access Control.

Learning objectives

  • Separate authentication failures from authorization failures.
  • Recognize token expiration, missing scopes, CSRF risk, and session fixation risk.
  • Apply object-level authorization instead of trusting a valid token alone.
  • Explain when browsers send CORS preflight requests.
  • Choose safe Access-Control headers for origins, credentials, methods, and headers.
  • Avoid common CORS mistakes such as wildcard credentials and unsafe origin reflection.

Common mistakes to avoid

  • Treating a valid JWT signature as permission for every object or action.
  • Returning 401 for authenticated users who lack scope or ownership.
  • Ignoring CSRF on cookie-authenticated write endpoints.
  • Keeping the same session id after login or privilege escalation.
  • Reflecting any Origin header for sensitive authenticated APIs.
  • Combining wildcard origins with credentials.

Games for Auth & Access Control

Start with the first game, then use local review history to revisit missed decisions.

Auth Intermediate

Auth Token Inspector

Inspect authentication scenarios and choose safe backend decisions for tokens, scopes, sessions, CSRF, and object-level authorization.

Time
6-9 minutes
Concept
Authentication, authorization, sessions, and token safety
  • Foundations
  • Auth
  • JWT
  • sessions
Play Auth Token Inspector
APIs Intermediate

CORS Preflight Pilot

Guide browser API requests through CORS decisions covering origins, preflight, credentials, exposed headers, and cache safety.

Time
6-9 minutes
Concept
CORS, browser security boundaries, and preflight response design
  • Foundations
  • CORS
  • HTTP
  • browser security
Play CORS Preflight Pilot
APIs Intermediate

Webhook Signature Forensics

Investigate webhook requests and choose safe handling for signatures, replay windows, retries, idempotency, and durable acknowledgement.

Time
6-9 minutes
Concept
Webhook verification, replay protection, idempotency, and retry-safe processing
  • Foundations
  • webhooks
  • HMAC
  • idempotency
Play Webhook Signature Forensics