i come from a java and c# background, and have built webapps the "classic" way (i.e., jsp, asp.net, cookies, server-side rendering, occasionally ajax, etc)
i am about to build my first (eventually) medium-sized web app, where the server-side would just be serving up data rest-api style, and both local and remote users would be connecting via a browser and/or a non-browser. the webapp is meant for use within an organization only, but because the organization is spread out in three different locations, the rest api (or perhaps some sort of an api gateway?) would have to be exposed to the internet. my questions are all security-related and we're thinking of using go as the programming language, and some external libraries such as routers (we're currently investigating gorilla mux, ozzo-routing, and others) etc. (1) is validating JWTs in a web request's authorization header the current dominant best practice for securing an api? what are its pro's and con's? (2) would using a session cookie + some authorization middleware (such as casbin) make sense for our situation? what are its pro's and con's? thanks for helping! -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
