About

I’m a .NET developer and team lead at a state government agency (what could be more Enterprise-y than that?) I’m interested in new technologies and techniques, but I balance them with skepticism and maintainability concern. In a work environment where process is substantial, development timeframes are measured in at least months and sometimes years, and application lifecycles can span decades, it’s important to find the right mix of technologies that will play well with others and be around for the long haul.

My LinkedIn profile

3 thoughts on “About

  1. Hi Steve, I came across you blog via a Reddit post about your “Bolt-On CSRF Protection in Intranet Web API Windows Authentication Scenarios” post. I’m facing a similar situation now where my client is also a government agency which require Domain Authentication. Having built a solution in WebAPI with an AngularJS client, we realised that we dont have protection from CSRF attacks. Even if the risk is low due to our current security, its something we’d like to resolve without replacing existing Domain Authentication. I came to an almost identical solution to your’s and was wondering whether you went ahead with it or not, and if it was as strong as a fully fledged token solutions like OAuth2?

    • I think most of our teams are still using CSRF tokens in a more manual way, and we have some token-based authentications in the pipeline as well.

Comments are closed.