Security

Published on
April 22, 2026
The Direction of a Safe Default: Why keychainAccessible Makes "Convenience" the Default and Leaves "Security" to You
React-Native Expo SecureStore Security Mechanism-Analysis
An option no build will flag and only review can catch — how expo-secure-store's default keychain class syncs passwords to iCloud, and why "when you read it" is the decisive variable for choosing a class.
Published on
February 3, 2026
A Session Can Have Only One Source of Truth: Why External Login Must Not Store a Token on the Device
Authentication OIDC JWT ASP.NET-Core-Identity Security
When wiring up an external identity provider, storing the id_token on the device tears open three channels at once: revocation, cold start, and audit. Starting from "single source of truth," a breakdown of the cookie-session contract and the JWT hardening checklist.
Published on
November 30, 2025
The Frontend Holds No JWT: Reasoning Backward from "Where to Store the Token" to a Cookie Auth + RBAC Design Space
Architecture Authentication RBAC Cookie Security
The answer to "where do you store the token" decides whether XSS risk is eliminated or merely relocated. Unpacking why the frontend holds no JWT, why CSRF becomes an unavoidable cost, how permission unions are computed, and why cache invalidation is harder than caching.

The Direction of a Safe Default: Why keychainAccessible Makes "Convenience" the Default and Leaves "Security" to You