OAuth 2.0 (RFC 6749) is a delegated-authorization standard: app A gains the right to act on behalf of a user in service B without receiving the user's password. Don't confuse with authentication — "sign in with Google" uses OpenID Connect on top of OAuth 2.0. Core flows: Authorization Code (web), PKCE (mobile/SPA), Client Credentials (service-to-service), Device (TV, CLI).
Below: details, example, related terms, FAQ.
Free online tool — website security scanner: instant results, no signup.
Authorization: Bearer eyJhbGciOi...OAuth 2.0 defines several flow types to accommodate different use cases and environments. Understanding these flows is crucial for implementing OAuth securely and effectively.
Each flow serves a specific purpose and is designed to mitigate risks associated with different types of applications and usage scenarios.
Implementing OAuth 2.0 can vary based on the flow type chosen. Below are examples for the Authorization Code Flow and Client Credentials Flow.
1. Redirect to Authorization Server:
GET https://authorization-server.com/auth?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&scope=YOUR_SCOPES2. Exchange Authorization Code for Access Token:
POST https://authorization-server.com/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=AUTHORIZATION_CODE&redirect_uri=YOUR_REDIRECT_URI&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET3. Use Access Token to Access Protected Resource:
GET https://api.resource-server.com/resource
Authorization: Bearer ACCESS_TOKEN1. Request Access Token:
POST https://authorization-server.com/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET2. Use Access Token to Access API:
GET https://api.resource-server.com/resource
Authorization: Bearer ACCESS_TOKENThese examples illustrate how to use OAuth 2.0 flows for different scenarios, ensuring secure access to resources.
OAuth 2.0 and JSON Web Tokens (JWT) are often discussed together, but they serve different purposes in the realm of web security.
OAuth 2.0 is primarily an authorization framework. It allows applications to gain limited access to user accounts on an HTTP service, without exposing user credentials. OAuth 2.0 defines how tokens are obtained and used but does not specify the format of these tokens.
JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure. JWTs can be used as access tokens in OAuth 2.0 flows.
In summary, OAuth 2.0 is a protocol for authorization, while JWT is a token format that can be used within that protocol. Understanding their roles helps in building secure applications.
The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.
Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.
TLS version, certificate expiry, chain of trust, HSTS support.
Finding exposed server versions, debug modes, open configs, and directories.
Detailed report explaining each issue with specific steps to fix it.
HTTP header audit
config verification
CSP & HSTS setup
compliance checks
Strict-Transport-Security.Server: Apache/2.4.52 helps attackers find exploits. Hide the version.DENY or SAMEORIGIN.nosniff, browsers may misinterpret file types (MIME sniffing).Content-Security-Policy-Report-Only, monitor violations, then enforce.Server, X-Powered-By, X-AspNet-Version from responses.Security check history and HTTP security header monitoring.
Sign up freeOAuth 2.0 is authorization (what). OpenID Connect is a layer on top for authentication (who) via an id_token (JWT).
No — since OAuth 2.1 draft (2019) and most guides mark it deprecated. Replacement: Authorization Code + PKCE.
Can be, not required. The OAuth spec does not mandate format. Many providers (Google, Auth0) return JWTs for client convenience.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.