![\"infra](\"/9475f7e05b9e351f919a2b693d2812da/infra1.webp\")
When we visit any website in the browser, the browser sends some request headers to the server and the server responds with HTTP response headers. These headers are used by the client and server to share information as a part of the HTTP protocol. Browsers have defined behavior of the web page according to these headers during communication with the server. These headers are mainly a combination of key-value pairs separated by a colon :. There are many HTTP headers, but here I'm covering some very useful web security headers, which will improve your website security.
As you know, nowadays too many data breaches are happening, many websites are hacked due to misconfiguration or lack of protection. These security headers will protect your website from some common attacks like XSS, code injection, clickjacking, etc. Additionally these headers increases your website SEO score.
\nHTTP Strict Transport Security security header helps to protect websites against man-in-the-middle attacks and cookie hijacking. Let's say, you have one website www.example.com and you have purchased SSL certification for migrating your website from HTTP to HTTPS. Now suppose old users are still opening your website using the HTTP, so they may redirect your HTTP users to HTTPS via redirection as a solution. Since visitors may first communicate with the non-encrypted version of the site before being redirected. This creates an opportunity for a man-in-the-middle attack. The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests.
Strict-Transport-Security: max-age=<expire-time>\n Strict-Transport-Security: max-age=<expire-time>; includeSubDomains\n Strict-Transport-Security: max-age=<expire-time>; preload| Directives | \nExplanation | \n
|---|---|
max-age=<expire-time> | \nThis directive allows us to specify the amount of time (in seconds) that the content of the header will be stored in the browser cache. | \n
includeSubDomains | \nIf this optional parameter is specified, this rule applies to all of the site's subdomains as well. | \n
Preload | \nThis is not part of the specifications. Please see the Preloading Strict Transport Security | \n
X-XSS header helps protect websites against script injection attacks. When an attacker injects malicious JavaScript code into an HTTP request for accessing confidential information such as session cookies, at that time HTTP X-XSS-Protection header can stop the browsers from loading suce web pages, whenever any detect is reflected cross-site scripting (XSS) attacks. XSS is a very common and effective attack.
\n X-XSS-Protection: 0 \n X-XSS-Protection: 1 \n X-XSS-Protection: 1; mode=block \n X-XSS-Protection: 1; report=<reporting-uri>| Attribute | \nDescription | \n\n | \n | \n |
|---|---|---|---|---|
0 | \nDisable the XSS Filtering | \n\n | \n | \n |
1 | \nEnable the XSS Filtering and remove the unsafe part | \n\n | \n | \n |
1; mode=block | \nBrowser prevents the entire page from rendering when an XSS attack is detected. | \n\n | \n | \n |
1; report=<reporting-URI> (Chromium only) | \nWhen a cross-site scripting attack is detected, the browser will remove the unsafe parts from the page and report the violation on the reporting URL. | \n\n | \n | \n |
The X-Frame-Options HTTP response header can be used to instruct the browser whether a web page should be allowed to render a <frame>, <iframe>, <embed> or <object> element on website or not.
This header protects users against ClickJacking attacks. An attacker uses multiple tricks to trick the user into clicking something different than what they think they’re clicking.
\n X-Frame-Options: DENY \n X-Frame-Options: SAMEORIGIN| Directives | \nExplanation | \n
|---|---|
DENY | \nThis will not allow to page rendering in the <frame>, <iframe>, <embed> or <object> | \n
SAMEORIGIN | \nThis will allow the page to only be displayed in a <frame>, <iframe>, <embed> or <object> on the same origin. | \n
X-Content-Type-Options response header prevents the browser from MIME-sniffing a response away from the declared content-type. A MIME-sniffing vulnerability allows an attacker to inject a malicious resource, such as a malicious executable script, Suppose an attacker changes the response for an innocent resource, such as an image. With MIME sniffing, the browser will ignore the declared image content type, and instead of rendering an image will execute the malicious script.
\nSyntax
\n X-Content-Type-Options: nosniff nosniff - Blocks a request if the request destination is of type:
Content-Security-Policy header is used to instruct the browser to load only the allowed content defined in the policy. This uses the whitelisting approach which tells the browser from where to load the images, scripts, CSS, applets, etc. If implemented properly, this policy prevents the exploitation of Cross-Site Scripting (XSS), ClickJacking, and HTML injection attacks.
\n Content-Security-Policy: <policy-directive>; <policy-directive>More information about the Content Security policy can be found on Mozilla’s website .
\nAs a web developer, you can follow this guide for adding security headers to your website. HTTP headers can be configured on the server to enhance the overall security of the web application. You can easily validate your website security headers. Multiple free online tools are available to check the same:
\nThese headers reduce the potential vulnerabilities of the application. Alongside these headers will add one layer of security still we need to add more layer's of security in our web application
\n","frontmatter":{"date":"July 15, 2020","updated_date":null,"description":"HTTP security headers are a fundamental part of website security. Upon implementation, they protect you against the types of attacks that your site is most likely to come across. These headers protect against XSS, code injection, clickjacking, etc. This article explains most commonly used HTTP headers in context to application security","title":"HTTP Security Headers","tags":["Security","HTTP Headers"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/4bea535329516b2e7baca9bfc373ccfc/991d2/http-security-headers.webp","srcSet":"/static/4bea535329516b2e7baca9bfc373ccfc/61e93/http-security-headers.webp 200w,\n/static/4bea535329516b2e7baca9bfc373ccfc/1f5c5/http-security-headers.webp 400w,\n/static/4bea535329516b2e7baca9bfc373ccfc/991d2/http-security-headers.webp 640w","sizes":"(max-width: 640px) 100vw, 640px"}}},"author":{"id":"Vijay Singh Shekhawat","github":"code-vj","avatar":null}}}},{"node":{"excerpt":"Have you ever heard of SonarQube? Would you like to know What it is? And how to use it? And its benefits to the production phase of software…","fields":{"slug":"/engineering/sonarqube/"},"html":"Have you ever heard of SonarQube? Would you like to know What it is? And how to use it? And its benefits to the production phase of software development. Then you are at the right place; in this tutorial of SonarQube, I will give you a walkthrough of every aspect of SonarQube.
\nLet's dive in!!!
\nSonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality. Sonar does static code analysis, which provides a detailed report of bugs, code smells, vulnerabilities, code duplications.
\nIt supports 25+ major programming languages through built-in rulesets and can also be extended with various plugins.
\nDevelopers working with hard deadlines to deliver the required functionality to the customer. It is so important for developers that many times they compromise with the code quality, potential bugs, code duplications, and bad distribution of complexity.
\nAdditionally, they tend to leave unused variables, methods, etc. In this scenario, the code would work in the desired way.
\nDo you think this is a proper way to deliver functionality?
\nThe answer is NO.
\nTo avoid these issues in code, developers should always follow the good coding practice, but sometimes it is not possible to follow the rules and maintain the good quality as there may be many reasons.
\nIn order to achieve continuous code integration and deployment, developers need a tool that not only works once to check and tell them the problems in the code but also to track and control the code to check continuous code quality. To satisfy all these requirements, here comes SonarQube in the picture.
\nThis section will explain the steps or procedures to configure the sonarqube plugin for all the major programming languages.
\nThe only prerequisite for running SonarQube is to have Java (Oracle JRE 11 or OpenJDK 11) installed on your machine. [details]
\nSet the PATH system variable: How do I set or change the PATH system variable?
\n\n\nNote: In order to analyze JavaScript code, you need to have Node.js >= 8 installed on the machine running the scan. If a standard node is not available, you have to set the property
\nsonar.nodejs.executableto an absolute path to Node.js executable. [details]
To start the sonar server open cmd or terminal and set sonarqube bin folder path and choose the platform and run the following command. Examples :
\n#For Windows(cmd):\nC:\\sonarqube\\bin\\windows-x86-64>StartSonar.bat\n#For other OS (terminal): \nC:\\sonarqube\\bin\\[OS]>sonar.shOnce the sonar server up successfully, then Log in to http://localhost:9000 with System Administrator credentials (login=admin, password=admin).
http://localhost:9000/account/security page).Now copy the displaying command and Go to your project path and Run the copied command. It looks like below:
\nsonar-scanner.bat -D"sonar.projectKey=rtetre" -D"sonar.sources=."-D"sonar.host.url=http://localhost:9000" -D"sonar.login=e932dxxxxx9a8e5c7903xxxxxx96928xxxxxxx"After the analysis is done, you can either browse the provided link to see the sonar report directly [Ex.: http://localhost:9000/dashboard?id=] or go to the project section to see the newly generated sonar report of your project.
If you want to exclude some files from analysis(like test files), then go to the administration section and navigate to the General setting, select the programming language used, and set a list of file path patterns to be excluded from the analysis.
\nNow re-run the analysis command given above for an updated sonar report.
\nThe goal of SonarQube is to empower developers first and to grow an open community around the quality and security of code. I hope with this quick tutorial of sonarqube you have the basic idea of the functionalities, and If you believe so, drop a comment and show your support.
\n","frontmatter":{"date":"July 11, 2020","updated_date":null,"description":"SonarQube is a universal tool for static code analysis that has become more or less the industry standard. Keeping code clean, simple, and easy to read is also a lot easier with SonarQube.","title":"Sonarqube: What it is and why to use it?","tags":["Code Quality","SonarQube"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.7699115044247788,"src":"/static/003f532e69e3da13ba2847a99744ade0/58556/sonarqube.webp","srcSet":"/static/003f532e69e3da13ba2847a99744ade0/61e93/sonarqube.webp 200w,\n/static/003f532e69e3da13ba2847a99744ade0/1f5c5/sonarqube.webp 400w,\n/static/003f532e69e3da13ba2847a99744ade0/58556/sonarqube.webp 800w,\n/static/003f532e69e3da13ba2847a99744ade0/99238/sonarqube.webp 1200w,\n/static/003f532e69e3da13ba2847a99744ade0/135cd/sonarqube.webp 1280w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Kheenvraj Lomror","github":"rajlomror","avatar":null}}}},{"node":{"excerpt":"In this blog, we’ll see how to create and validate a JWT(JSON Web Token) in Deno. For this, we’ll be using djwt, the absolute minimum…","fields":{"slug":"/engineering/jwt-authentication-with-deno/"},"html":"In this blog, we’ll see how to create and validate a JWT(JSON Web Token) in Deno. For this, we’ll be using djwt, the absolute minimum library to make JSON Web Tokens in deno and Oak framework
\nThis tutorial assumes you have:
\nJSON Web Token is an internet standard used to create tokens for an application. These tokens hold JSON data and are cryptographically signed.
\nHere is how a sample Json Web Token looks like
\neyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6Im9sYXR1bmRlZ2FydWJhQGdtYWlsLmNvbSIsImJWT is a good way of securely sending information between parties. Because JWTs can be signed—for, you can be sure the senders are who they say they are. And, as the signature is generated using the header and the payload, you can also verify that the content hasn't been tampered with.
\nJWT can contain user information in the payload and also can be used in the session to authenticate the user.
\nIf you want to know more about JSON Web Token, We have a very good article about it.
\nFirst, let's set up a Deno server to accept requests, for it, we are using Oak framework, it is quite simple and few lines of codes as you can see below.
\n// index.ts\nimport { Application, Router } from "https://deno.land/x/oak/mod.ts";\n\nconst router = new Router();\nrouter\n .get("/", (context) => {\n context.response.body = "JWT Example!";\n })\n\nconst app = new Application();\napp.use(router.routes());\napp.use(router.allowedMethods());\n\nawait app.listen({ port: 8000 });Once our program is ready for accepting request Let's import djwt functions to generate JWT token, In below code we can use a secret key, expiry time for JWT token in 1 hour from the time program will run and we are using HS256 algorithm.
\nAdd the below code in index.ts and update the router as shown below, you can now get a brand new token on http://localhost:8000/generate
// index.ts\n...\n\nimport { makeJwt, setExpiration, Jose, Payload } from "https://deno.land/x/djwt/create.ts";\n\nconst key = "secret-key";\nconst payload: Payload = {\n iss: "Jon Doe",\n exp: setExpiration(new Date().getTime() + 60000),\n};\nconst header: Jose = {\n alg: "HS256",\n typ: "JWT",\n};\n\n\nconst router = new Router();\nrouter\n .get("/", (context) => {\n context.response.body = "JWT Example!";\n })\n .get("/generate", (context) => {\n context.response.body = makeJwt({ header, payload, key }) + "\\n";\n })\n\n...Once you get a JWT token you can validate the token by validateJwt function in djwt, let us import the validateJwt and add one more route /validate/:token
Now you can verify any token by passing it to a route like - http://localhost:8000/validate/jwt_token (jwt_token is a placeholder, please replace it with a real JWT token)
// index.ts\n...\n\nimport { validateJwt } from "https://deno.land/x/djwt/validate.ts";\n\n...\n\nrouter\n .get("/", (context) => {\n context.response.body = "JWT Example!";\n })\n .get("/generate", (context) => {\n context.response.body = makeJwt({ header, payload, key }) + "\\n";\n })\n .get("/validate/:token", async (context) => {\n if ( context.params && context.params.token && (await validateJwt(context.params.token, key)).isValid) {\n context.response.body = "Valid JWT\\n";\n } else {\n context.response.body = "Invalid JWT\\n";\n }\n });\n\n...Now you know how to generate and verify a JWT token in Deno, you can easily use it in your application, The complete source code used in this blog can be found in this Github Repo
\n","frontmatter":{"date":"July 10, 2020","updated_date":null,"description":null,"title":"How to create and validate JSON Web Tokens in Deno","tags":["Deno","JWT","JSON Web Token"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.492537313432836,"src":"/static/2ca148ad6e08643634262607131d918e/58556/deno_jwt.webp","srcSet":"/static/2ca148ad6e08643634262607131d918e/61e93/deno_jwt.webp 200w,\n/static/2ca148ad6e08643634262607131d918e/1f5c5/deno_jwt.webp 400w,\n/static/2ca148ad6e08643634262607131d918e/58556/deno_jwt.webp 800w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Puneet Singh","github":"puneetsingh24","avatar":null}}}},{"node":{"excerpt":"Cloud Cost Optimization is the method of reducing the total cloud spending by finding mismanaged capital and scale-up of Right Sizing…","fields":{"slug":"/engineering/cloud-cost-optimization/"},"html":"Cloud Cost Optimization is the method of reducing the total cloud spending by finding mismanaged capital and scale-up of Right Sizing computing services. CCO only charge for the services you use, the cloud gives companies infinite scalability and lower IT costs.
\nOn-Premise Infrastructure was only option around 10 years ago but managing On-premise Infrastructure include the extra cost with other challenges, Challenges are Network, Hardware, Cooling, Power, Space also needed technical staff for taking care all infrastructure
\nThe Colocation is when a business places its own server in a third-party data center and uses its infrastructure services. Colocation takes responsibility for Network, Hardware, Cooling, Space also business not need to worry about technical man force for managing servers
\nStill business have more challenges OS software, Application security, Data storage
\nThe Cloud service provider is providing solutions for all the challenges. The cloud service provider takes total responsibility for hardware, network, space, power, maintaining, and security also they are managing all technical workforce for the whole infrastructure
\n
Reducing Cloud cost is not a one time task. it is a recurring process. We need to identify underutilized resources, Right size machine, reserving capacity for higher discounts also need to optimization Application for reducing hardware cost. Let's start
\nCloud infrastructure is increasing day by day. Choosing the right cloud provider is the most important decision for long term success. The big three cloud providers are Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). These three cloud providers are providing mostly services so they might be confused about choosing the right cloud provider. We can easily evaluate the right cloud provider from the following steps
\nAll Big Cloud Providers are providing discounted Instances or spot instances. Spot instances are unused instances. Cloud Providers offered up to 90% discount on these instances compared to on-demand or reserved instances. The majority of organizations have some workloads that are not critical, We can reduce the cost for not critical workload by using spot instances. AWS, Azure, and Google (GCP) all provide the option to use Spot Instances.
\nIdentify the right size for the Instance, not an easy task. We need to configure multiple matrices in our cloud service provider. Key metrics to look for are CPU and memory usage. Identify instances with a maximum CPU usage and memory usage of the month.
\nGenerally, people make mistakes during checking metrics. Most of the people prefer averages in monitoring but averages mislead the measurement. Let understand this by example
\nYou are running an online technology tutorial site. Suppose 1million active users on your website in normal days. Now you are hosting weekly technology webinars in your platform. During webinars time your platform traffic should increase. At that time CPU usages and memory usages should be high compared to the rest of the time. Now suppose you have checked the 24 hours average CPU usages and memory usages. It was around 40% and you have decided this is underutilized and scale down the lower size instance. It can impact you 5% - 10% traffic Let’s look at a real-world example. This chart shows the overall CPU usages
\n ![\"image](\"/205f2fae49dd4ac8281b545c5341d6ce/image1.webp\")
First Image showing Average CPU utilization. You can see Maximum CPU was 18.6 %
\nNow, let’s check the CPU 99th percentile:\n![\"image](\"/6c898bdf0b5b329e83f2c089d0b71b28/image2.webp\")
As expected, the 99th percentile is higher than the average. 99th percentile is around 93%
\nThe conclusion is We need to always check the 99th percentile. The average can mislead and it can impact your users.
\nWe can create different types of resources and applications utilization monitoring matrix and based on the data we can configure multiple alarms. You can configure notification or alarms on email, SMS from the Cloud provider dashboard. you can also configure alarms that automatically stop or terminate EC2 instances or VM when instance unused or underutilized according to the configured threshold. During the development or some POC as a developer or devops person we have to create some instances or resources but sometimes we forgot to terminate the instances or resources. You can minimize the this extra cost by creating a group of alarms that sends an email notification to developers whose instances have been underutilized or ideal for some hours, then terminates an instance. It will save the overall infra cost. different cloud providers provide different ways for creating these type alarms
\nYou can save around 75% cost for your Non - Production Development, Staging, and QA environment. Non - Production environment generally needed during working days. You can turn off these servers during off-hours. Cost-saving depends on the infrastructure size, it can be hundred, thousands of dollars
\nYou can create automation scripts for infrastructure deployment. Schedule the script in your cloud provider
\nApplication in-memory cache reduces the cost of transferring data in the network and overall application performance because reduce the traffic between the database servers or any other external application reduce the network level cost in the cloud also caching improves the efficiency and accessibility of data that used repeatedly or frequently accessed. Suppose your application is fetching user configuration or settings in every request from the database server. You can keep this type of configuration, which is not changing frequently in the in-memory cache. it will save a lot network-level cost
\nData Transfer cost mostly hidden or Some time we don't take care of it. Generally, data transfer is free in the same region between different services Storage, Compute service, etc.\nIf you do a lot of cross-region transfer, it will increase your network data transfer cost also if you will deploy multiple services in the same region it will improve application performance
\nThis includes knowing what you spend in detail, how specific services are billed, and the ability to display how (or why) you spent a specific amount Here, keep in mind key capabilities such as the ability to create shared accountability, hold frequent cost reviews, analyze trends, and visualize the impact of your actions on a near-real-time basis. You can also use cost controls like budget alerts and quotas to keep your costs in check over time.
\nEnterprises or Mid Level companies are adopting multi-cloud infrastructure. Consider this recent prediction from IDC: “By 2020, over 90% of enterprises will use multiple cloud services and platforms.” Or this one from 451 Research: “The future of IT is multi-cloud and hybrid with 69% of respondents planning to have some type of multi-cloud environment by 2019.”
\nOrganizations need to develop a cost optimization culture and awareness. Cost optimization is an ongoing activity in the organization. Need to decide someone responsible for the cost optimization it can be an Engineering team or DevOps team. Most cloud providers provide billing alarm’s they can alert you in case of cost increment also we can configure budget in the Cloud provider dashboard.
\n","frontmatter":{"date":"July 09, 2020","updated_date":null,"description":"Optimization of cloud costs lowers spending by recognizing mismanaged capital, reserving higher discount space, and proper sizing.","title":"Cloud Cost Optimization in 2021","tags":["Cloud","Optmization"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.408450704225352,"src":"/static/9b95fca99dc1c53ce661e89fd0341f6d/58556/cloud.webp","srcSet":"/static/9b95fca99dc1c53ce661e89fd0341f6d/61e93/cloud.webp 200w,\n/static/9b95fca99dc1c53ce661e89fd0341f6d/1f5c5/cloud.webp 400w,\n/static/9b95fca99dc1c53ce661e89fd0341f6d/58556/cloud.webp 800w,\n/static/9b95fca99dc1c53ce661e89fd0341f6d/99238/cloud.webp 1200w,\n/static/9b95fca99dc1c53ce661e89fd0341f6d/7c22d/cloud.webp 1600w,\n/static/9b95fca99dc1c53ce661e89fd0341f6d/8dda0/cloud.webp 1747w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Vijay Singh Shekhawat","github":"code-vj","avatar":null}}}},{"node":{"excerpt":"This post will cover a demo working setup of a service mesh architecture using Envoy using a demo application. In this service mesh…","fields":{"slug":"/engineering/service-mesh-with-envoy/"},"html":"This post will cover a demo working setup of a service mesh architecture using Envoy using a demo application. In this service mesh architecture, we will be using Envoy proxy for both control and data plane. The setup is deployed in a Kubernetes cluster using Amazon EKS.
\nWe will be deploying an echo-grpc test application provided by Google in their article related to gRPC load balancing and was used as a reference to test the service mesh setup with Envoy. The article covers setting up Envoy as an edge proxy only.\nThis is a simple gRPC application that exposes a unary method that takes a string in the content request field and responds with the content unaltered.\nRepo: grpc-gke-nlb-tutorial
\nkubectl create namespace envoygo get github.com/fullstorydev/grpcurlConfiguration of envoy for the sidecar deployment:
\nenvoy-echo.yaml:
\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: envoy-echo\ndata:\n envoy.yaml: |\n static_resources:\n listeners:\n - address:\n socket_address:\n address: 0.0.0.0\n port_value: 8786\n filter_chains:\n - filters:\n - name: envoy.http_connection_manager\n config:\n access_log:\n - name: envoy.file_access_log\n config:\n path: "/dev/stdout"\n codec_type: AUTO\n stat_prefix: ingress_https\n route_config:\n name: local_route\n virtual_hosts:\n - name: https\n domains:\n - "*"\n routes:\n - match:\n prefix: "/api.Echo/"\n route:\n cluster: echo-grpc\n http_filters:\n - name: envoy.health_check\n config:\n pass_through_mode: false\n headers:\n - name: ":path"\n exact_match: "/healthz"\n - name: "x-envoy-livenessprobe"\n exact_match: "healthz"\n - name: envoy.router\n config: {}\n clusters:\n - name: echo-grpc\n connect_timeout: 0.5s\n type: STATIC\n lb_policy: ROUND_ROBIN\n http2_protocol_options: {}\n load_assignment:\n cluster_name: echo-grpc\n endpoints:\n - lb_endpoints:\n - endpoint:\n address:\n socket_address:\n address: "127.0.0.1"\n port_value: 8081\n health_checks:\n timeout: 1s\n interval: 10s\n unhealthy_threshold: 2\n healthy_threshold: 2\n grpc_health_check: {}\n admin:\n access_log_path: "/dev/stdout"\n address:\n socket_address:\n address: 127.0.0.1\n port_value: 8090A couple things to note here.
\n*, allowing all domains to pass-through.Run:\nkubectl apply -f envoy-echo.yaml -n envoy
Deployment of echo-grpc application with 3 replicas. The config contains two containers, one for application and another being the Envoy image.
\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: echo-grpc\nspec:\n replicas: 3\n selector:\n matchLabels:\n app: echo-grpc\n template:\n metadata:\n labels:\n app: echo-grpc\n spec:\n containers:\n - name: echo-grpc\n image: <hub-username>/echo-grpc\n imagePullPolicy: Always\n resources: {}\n env:\n - name: "PORT"\n value: "8081"\n ports:\n - containerPort: 8081\n readinessProbe:\n exec:\n command: ["/bin/grpc_health_probe", "-addr=:8081"]\n initialDelaySeconds: 1\n livenessProbe:\n exec:\n command: ["/bin/grpc_health_probe", "-addr=:8081"]\n initialDelaySeconds: 1\n - name: envoy\n image: envoyproxy/envoy:v1.9.1\n resources: {}\n ports:\n - name: https\n containerPort: 443\n volumeMounts:\n - name: config\n mountPath: /etc/envoy\n volumes:\n - name: config\n configMap:\n name: envoy-echoHere, echo-grpc is test application and envoy is being deployed in the same pod. Config volumes are mounted so that the envoy can read the configmaps.
\nRun:\nkubectl apply -f echo-deployment.yaml -n envoy
We are using headless service for echo-grpc. Using service as headless will expose the Pods IP to the DNS server of kubernetes which will be used by Envoy to do service discovery for the pods.
\necho-service.yaml
\napiVersion: v1\nkind: Service\nmetadata:\n name: echo-grpc\nspec:\n type: ClusterIP\n clusterIP: None\n selector:\n app: echo-grpc\n ports:\n - name: http2-echo\n protocol: TCP\n port: 8786\n - name: http2-service\n protocol: TCP\n port: 8081In the above config file, we are exposing two ports, one for envoy sidecar (this is the same port we mentioned in the config map of sidecar envoy) and one for the service itself.
\nRun:\nkubectl apply -f echo-service.yaml -n envoy
Creating a service of type LoadBalancer so that client can access the backend service.
\nenvoy-service.yaml:
\napiVersion: v1\nkind: Service\nmetadata:\n name: envoy\nspec:\n type: LoadBalancer\n selector:\n app: envoy\n ports:\n - name: https\n protocol: TCP\n port: 443\n targetPort: 443Run:\nkubectl apply -f envoy-service.yaml -n envoy
Since we are deploying front envoy LoadBalancer on port 443, we have to create a self-signed certificate to make it terminate SSL/TLS connection.
\nkubectl describe svc/envoy -n envoynslookup <your load balancer aadess>openssl req -x509 -nodes -newkey rsa:2048 -days 365 -keyout privkey.pem -out cert.pem -subj \"/CN=<ip-address>\"kubectl create secret tls envoy-certs --key privkey.pem --cert cert.pem --dry-run -o yamlConfiguration for the edge Envoy:
\nenvoy-configmap.yaml
\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: envoy-conf\ndata:\n envoy.yaml: |\n static_resources:\n listeners:\n - address:\n socket_address:\n address: 0.0.0.0\n port_value: 443\n filter_chains:\n - filters:\n - name: envoy.http_connection_manager\n config:\n access_log:\n - name: envoy.file_access_log\n config:\n path: "/dev/stdout"\n codec_type: AUTO\n stat_prefix: ingress_https\n route_config:\n name: local_route\n virtual_hosts:\n - name: https\n domains:\n - "*"\n routes:\n - match:\n prefix: "/api.Echo/"\n route:\n cluster: echo-grpc\n http_filters:\n - name: envoy.health_check\n config:\n pass_through_mode: false\n headers:\n - name: ":path"\n exact_match: "/healthz"\n - name: "x-envoy-livenessprobe"\n exact_match: "healthz"\n - name: envoy.router\n config: {}\n tls_context:\n common_tls_context:\n tls_certificates:\n - certificate_chain:\n filename: "/etc/ssl/envoy/tls.crt"\n private_key:\n filename: "/etc/ssl/envoy/tls.key"\n clusters:\n - name: echo-grpc\n connect_timeout: 0.5s\n type: STRICT_DNS\n lb_policy: ROUND_ROBIN\n http2_protocol_options: {}\n load_assignment:\n cluster_name: echo-grpc\n endpoints:\n - lb_endpoints:\n - endpoint:\n address:\n socket_address:\n address: echo-grpc.envoy.svc.cluster.local\n port_value: 8786\n health_checks:\n timeout: 1s\n interval: 10s\n unhealthy_threshold: 2\n healthy_threshold: 2\n grpc_health_check: {}\n admin:\n access_log_path: "/dev/stdout"\n address:\n socket_address:\n address: 127.0.0.1\n port_value: 8090Since we will be offloading HTTPS, we are using port_value of 443. Most of the configurations are same as of sidecar envoy except for three things:
\nRun:\nkubectl apply -f envoy-configmap.yaml -n envoy
envoy-deployment.yaml
\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: envoy\nspec:\n replicas: 2\n selector:\n matchLabels:\n app: envoy\n template:\n metadata:\n labels:\n app: envoy\n spec:\n containers:\n - name: envoy\n image: envoyproxy/envoy:v1.9.1\n resources: {}\n ports:\n - name: https\n containerPort: 443\n volumeMounts:\n - name: config\n mountPath: /etc/envoy\n - name: certs\n mountPath: /etc/ssl/envoy\n readinessProbe:\n httpGet:\n scheme: HTTPS\n path: /healthz\n httpHeaders:\n - name: x-envoy-livenessprobe\n value: healthz\n port: 443\n initialDelaySeconds: 3\n livenessProbe:\n httpGet:\n scheme: HTTPS\n path: /healthz\n httpHeaders:\n - name: x-envoy-livenessprobe\n value: healthz\n port: 443\n initialDelaySeconds: 10\n volumes:\n - name: config\n configMap:\n name: envoy-conf\n - name: certs\n secret:\n secretName: envoy-certsRun:\nkubectl apply -f envoy-deployment.yaml -n envoy
Proto file for the echo-grpc service:
\nccho.proto:
\nsyntax = "proto3";\n\npackage api;\n\nservice Echo {\n rpc Echo (EchoRequest) returns (EchoResponse) {}\n}\n\nmessage EchoRequest {\n string content = 1;\n}\n\nmessage EchoResponse {\n string content = 1;\n}Run the following command to call the server:\ngrpcurl -d '{\"content\": \"echo\"}' -proto echo.proto -insecure -v <load_balancer_or_external_ip>:443 api.Echo/Echo
The output will be similar to something like this:
\nResolved method descriptor:\nrpc Echo ( .api.EchoRequest ) returns ( .api.EchoResponse );\n\nRequest metadata to send:\n(empty)\n\nResponse headers received:\ncontent-type: application/grpc\ndate: Wed, 27 Feb 2019 04:40:19 GMT\nhostname: echo-grpc-5c4f59c578-wcsvr\nserver: envoy\nx-envoy-upstream-service-time: 0\n\nResponse contents:\n{\n "content": "echo"\n}\n\nResponse trailers received:\n(empty)\nSent 1 request and received 1 responseRun the above command multiple times and check the value of the hostname field every time which will contain the pod name of one of the 3 pods deployed.
\nKafka Streams is a Java library developed to help applications that do stream processing built on Kafka. To learn about Kafka Streams, you need to have a basic idea about Kafka to understand better. If you’ve worked with Kafka before, Kafka Streams is going to be easy to understand.
\nKafka Streams is a streaming application building library, specifically applications that turn Kafka input topics into Kafka output topics. Kafka Streams enables you to do this in a way that is distributed and fault-tolerant, with succinct code.
\nStream processing is the ongoing, concurrent, and record-by-record real-time processing of data.
\nLet us get started with some highlights of Kafka Streams:
\nThere are two individual processors in the topology:
\n![\"Toplogy](\"/a6722490a32c205bf1f07a2796039933/streams-architecture-topology.webp\")
There is actually a close relationship between streams and tables, the so-called stream-table duality
\nLet's Start with the Setup using Scala instead of Java. The Kafka Streams DSL for Scala library is a wrapper over the existing Java APIs for Kafka Streams DSL.
\nTo Setup things, we need to create a KafkaStreams Instance. It needs a topology and configuration (java.util.Properties). We also need a input topic and output topic. Let's look through a simple example of sending data from an input topic to an output topic using the Streams API
You can create a topic using the below commands (need to have Kafka pre installed)
\nkafka-topics --create --zookeeper localhost:2181 --replication-factor 1 --partitions 1 --topic inputTopic\nkafka-topics --create --zookeeper localhost:2181 --replication-factor 1 --partitions 1 --topic outputTopicval config: Properties = {\n val properties = new Properties()\n properties.put(StreamsConfig.APPLICATION_ID_CONFIG, "your-application")\n properties.put(StreamsConfig.BOOTSTRAP_SERVERS_CONFIG, "localhost:9092")\n properties.put(ConsumerConfig.AUTO_OFFSET_RESET_CONFIG, "latest")\n properties.put(StreamsConfig.PROCESSING_GUARANTEE_CONFIG, StreamsConfig.EXACTLY_ONCE)\n properties.put(StreamsConfig.DEFAULT_KEY_SERDE_CLASS_CONFIG, Serdes.String())\n properties.put(StreamsConfig.DEFAULT_VALUE_SERDE_CLASS_CONFIG, Serdes.String())\n properties\n }StreamsBuilder provide the high-level Kafka Streams DSL to specify a Kafka Streams topology.
\nval builder: StreamsBuilder = new StreamsBuilderCreates a KStream from the specified topics.
\nval inputStream: KStream[String,String] = builder.stream(inputTopic, Consumed.`with`(Serdes.String(), Serdes.String()))Store the input stream to the output topic.
\ninputStream.to(outputTopic)(producedFromSerde(Serdes.String(),Serdes.String())Starts the Streams Application
\nval kEventStream = new KafkaStreams(builder.build(), config)\nkEventStream.start()\nsys.ShutdownHookThread {\n kEventStream.close(10, TimeUnit.SECONDS)\n }You can send data to the input topic using
\nkafka-console-producer --broker-list localhost:9092 --topic inputTopicAnd can fetch the data from the output topic using
\nkafka-console-consumer --bootstrap-server localhost:9092 --topic outputTopic --from-beginningYou can add the necessary dependencies in your build file for sbt or pom file for maven. Below is an example for build.sbt.
\n// Kafka\nlibraryDependencies += "org.apache.kafka" %% "kafka-streams-scala" % "2.0.0"\nlibraryDependencies += "javax.ws.rs" % "javax.ws.rs-api" % "2.1" artifacts( Artifact("javax.ws.rs-api", "jar", "jar")) // this is a workaround. There is an upstream dependency that causes trouble in SBT builds.Let us modify the code a little bit to try out a WordCount example:\nThe code splits the sentences into words and groups by word as a key and the number of occurences or count as value and is being sent to the output topic by converting the KTable to KStream.
\nval textLines: KStream[String, String] = builder.stream[String, String](inputTopic)\nval wordCounts: KTable[String, Long] = textLines\n\t\t.flatMapValues(textLine => textLine.toLowerCase.split("\\\\W+"))\n\t\t.groupBy((_, word) => word)\n\t\t.count()(materializedFromSerde(Serdes.String(),Serdes.Long()))\n\twordCounts.toStream.to(outputTopic)(producedFromSerde(Serdes.String(),Serdes.Long())With the above process, we can now implement a simple streaming application or a word count application using Kafka Streams in Scala. If you want to set up kafka on Windows, here is a quick guide to implement apache kafka on windows OS.
\n","frontmatter":{"date":"July 01, 2020","updated_date":null,"description":"Learn about Kafka Streams, key concepts and highlights with simple streaming or a word count application using Kafka Streams in Scala","title":"Kafka Streams: A stream processing guide","tags":["Scala","Kafka","Kafka Streams"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/0b37b7b26ad97126a6657a2447528848/58556/header.webp","srcSet":"/static/0b37b7b26ad97126a6657a2447528848/61e93/header.webp 200w,\n/static/0b37b7b26ad97126a6657a2447528848/1f5c5/header.webp 400w,\n/static/0b37b7b26ad97126a6657a2447528848/58556/header.webp 800w,\n/static/0b37b7b26ad97126a6657a2447528848/99238/header.webp 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Priyadarshan Mohanty","github":"priyadarshan1995","avatar":null}}}}]},"markdownRemark":{"excerpt":"Introduction Ever wondered how apps like Spotify, Netflix, or Slack manage seamless login experiences across devices? Many of them use JWT…","fields":{"slug":"/engineering/how-to-integrate-jwt/"},"html":"Ever wondered how apps like Spotify, Netflix, or Slack manage seamless login experiences across devices? Many of them use JWT, or JSON Web Tokens, a compact, stateless method for securely transmitting user identity and session data across services.
\nWith JWT token authentication, identity information is embedded in a signed token, allowing you to maintain user sessions without server-side storage. This approach is highly scalable and ideal for modern architectures like SPAs, mobile apps, and microservices.
\nIn this blog, we’ll walk you through what is JWT, why use it, and how to implement JWT authentication using LoginRadius.
\nYou’ll learn what JWT is, why it’s effective, and how it works in real-world applications. We'll cover both integration methods (IDX and Direct API), generating your signing key, managing sessions, storing the JWT token securely, and applying best practices throughout.
\nWhether you're a developer, product manager, or IAM architect, this guide offers a complete foundation for implementing JWT token authentication into your application stack.
\nJSON Web Token (JWT) is an open standard (RFC 7519) used to transmit information securely between parties as a JSON object. It’s compact, self-contained, and digitally signed, making it a reliable format for authentication and authorization across modern applications.
\nA JWT consists of three parts:
\nExample of a token structure:
\n<base64Header>.<base64Payload>.<signature>
\n![\"Flowchart](\"/f29edbf2978577390c7ffa02e9bc4dda/lr-JWT-authentication.webp\")
JWT simplifies identity verification, especially when you're building apps that talk to APIs or need to scale without centralized session storage.
\nLoginRadius provides robust support for JWT (JSON Web Token) authentication, which allows for flexible and secure access control across different digital platforms. Whether you're building a fully custom identity flow or using a pre-built interface, the platform supports various integration approaches depending on your architecture.
\nIf you're looking to understand how to implement JWT token authentication effectively, LoginRadius offers two primary implementation models that cater to different levels of customization and control:
\nThe IDX-hosted login approach enables secure, standards-compliant, JWT-based authentication without requiring you to build a custom login interface. This is a strategic option for fast, compliant, and user-friendly deployments.
\n![\"Screenshot](\"/9fb19dd9c88c7916aeebd03ab6e661b7/lr-admin-console.webp\")
{
\n\"access_token\": \"eyJhbGciOiJIUzI1NiIsInR...\",
\n\"expires_in\": 1800
\n}
\nThis integration approach works best for all teams that want effective identity workflows without the complexity of building proprietary login screens, something that is crucial for customer portals, onboarding of mobile applications, and even managing access for business partners.
\nIf you’re building a custom login UI or working in a headless environment, LoginRadius lets you generate and handle JWTs directly through its Authentication APIs. Here’s how you can programmatically perform token authentication using the classic method:
\nSend a POST login request to the LR Authentication URL:
\nPOST /identity/v2/auth/login
\nInclude the user’s credentials (email + password) in the request body.
\n{
\n\"access_token\": \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...\",
\n\"expires_in\": 3600
\n}
\nWith LoginRadius, it is possible to customize the payload to include user roles and/or any additional metadata. You can set custom JWT claims on the Admin Console.
\nWith this method, you have complete customization over login flows while using LoginRadius to issue signed JWTs for user session management.
\nNOTE- With either method, LoginRadius ensures that JWTs are securely signed, optionally short-lived, and compatible with standard token validation libraries, making integration seamless for everyone.
\nTo get started with JWT implementation, you can read our complete developer documentation.
\n![\"Illustration](\"/15ec02ac98d24a9f1f28e5d0f06b9174/IDX-vs-Direct-API-JWT.webp\")
Session management is how your app keeps track of a user after they log in so they don’t have to prove who they are with every request.
\nIn traditional apps, sessions are stored on the server using session IDs. Every time a request comes in, the server checks that session ID to verify the user.
\nIn modern apps, especially SPAs and APIs, JWTs are used to manage sessions without needing server-side storage; this is called stateless session management. The token itself carries the user’s identity, roles, and expiration details. As long as the token is valid, the user stays logged in.
\nGood session management ensures:
\nUser Logs In
\nClient Stores the Token
\nAccess Token Expiry
\nToken Renewal
\nWhen the user logs out, both the access token and refresh token should be cleared from client storage.
\nHowever, access tokens are stateless and cannot be revoked mid-lifecycle unless:
\nCombining these strategies gives you greater control over token misuse and enables a robust, enterprise-grade logout flow.
\n![\"illustration](\"/e55ae4bbc8ce62e13f03e46e29ebe7cc/api-economy.webp\")
When you implement JWT-based authentication, the client (browser or mobile app) needs a way to store the access token and, optionally, the refresh token after they are issued by the authentication server. This stored token is then attached to every subsequent request to prove the user's identity.
\nChoosing where to store the JWT is a crucial security decision. The most common storage options are:
\nEach option has trade-offs between security, accessibility, and persistence, and the right choice depends on your application's architecture and threat model.
\nAccess Tokens
\nRefresh Tokens
\nJWT authentication with LoginRadius offers a modern, stateless approach to managing sessions across distributed systems. The IDX integration is ideal for rapid deployment, while the Direct API model is best for organizations needing deep customization and integration flexibility.
\nWith robust token signing, refresh capabilities, and centralized control, LoginRadius provides a future-ready foundation for secure, scalable identity architecture. Contact us to know more about JWT authentication and implementation guide.
\nA: JWT authentication securely verifies user identities, enabling stateless session management across web, mobile apps, and microservices without server-side session storage.
\nA: LoginRadius simplifies JWT integration by offering hosted IDX login pages and direct API-based authentication methods, enabling rapid deployment and deep customization.
\nA: Yes, JWT authentication is secure when implemented with best practices like short-lived tokens, secure storage methods, signature validation, and refresh token rotation.
\nA: Yes, LoginRadius allows revocation of JWT refresh tokens explicitly, and supports strategies like short-lived tokens and key rotation to manage token lifecycles securely.
\n","frontmatter":{"date":"April 15, 2025","updated_date":null,"description":"Discover JWT (JSON Web Token) authentication, its advantages, and how to integrate it seamlessly using LoginRadius' hosted IDX and Direct API methods for secure, scalable identity management.","title":"JWT Authentication with LoginRadius: Quick Integration Guide","tags":["JWT","JSON Web Token","Authentication","Authorization"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":0.7782101167315175,"src":"/static/4cedb7829f98208cbc6d5a9aea4e983d/58556/how-to-integrate-jwt.webp","srcSet":"/static/4cedb7829f98208cbc6d5a9aea4e983d/61e93/how-to-integrate-jwt.webp 200w,\n/static/4cedb7829f98208cbc6d5a9aea4e983d/1f5c5/how-to-integrate-jwt.webp 400w,\n/static/4cedb7829f98208cbc6d5a9aea4e983d/58556/how-to-integrate-jwt.webp 800w,\n/static/4cedb7829f98208cbc6d5a9aea4e983d/1cc9f/how-to-integrate-jwt.webp 896w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Kundan Singh","github":null,"avatar":null}}}},"pageContext":{"limit":6,"skip":198,"currentPage":34,"type":"//engineering//","numPages":53,"pinned":"5c425581-f474-5ae9-abe7-cf5342db2aaa"}},"staticQueryHashes":["1171199041","1384082988","2100481360","23180105","528864852"]}