Security

Protections

SSL

• SSL is enabled on all resources and endpoints.

CORS

• API deployments allow access from one origin per stage.

XSS

• A content security policy prevents the browser from downloading or executing scripts from unauthorized sources.
• React escapes input loaded from a database.

Authentication

• User profiles are stored and managed through AWS Cognito.
• An library developed by Amazon is used for authentication actions like.

Authorization

• Brute force attacks are handled by Cloudfront, the CDN.
• Resources that contain private user data are only accessible to authenticated users.
• User credentials are verified using an AWS-provided Authorizer.
• Access to the Lambda function that queries the database is based on a whitelist of API Gateway resources.
• Access to the database is granted to Lambdas through Identity-Based Policies (IAM Policies).

Vulnerabilities

• Access to the AWS account by an unauthorized party.
• Credentials extracted from browser storage. Possible mitigation: Credential storage in HTTP only cookies, CSRF tokens.
• Delayed cross-device sign out. Possible mitigation: Blacklist of tokens invalidated during global sign outs.