The security reason for exclusion of error codes and other information is
that the data helps the attacker subvert the app. I continue my attempt to
avoid helping the attacker.
thx ..Tom (mobile)
On Sat, Aug 26, 2023, 7:58 AM Dick Hardt wrote:
> Jaimandeep: Do I understand your objection to
Jaimandeep: Do I understand your objection to adoption is that providing a
resource discovery endpoint increases the attack surface as an
attacker gains knowledge about the resource?
If I understand that correctly, then you are suggesting security through
obscurity.
As mentioned by Aaron, there
Right Philippe - there really is no way to create a secure client as a web
app. You would need access to the trusted execution environment, which is
not available.
..tom
On Sat, Aug 26, 2023 at 5:21 AM Philippe De Ryck <
phili...@pragmaticwebsecurity.com> wrote:
> My responses inline.
>
>
>
My responses inline.
> Hi everyone,
>
> The document is about "OAuth 2.0 for Browser-Based Apps". Its abstract
> further explains that it "details the security considerations and best
> practices that must be taken into account when developing browser-based
> applications that use OAuth