PKCE (Proof Key for Code Exchange, RFC 7636) — an OAuth 2.0 extension protecting the authorization code from theft in public clients (SPAs, mobile apps without secure storage). Client generates a random code_verifier → sends a hash (code_challenge) in the authorize URL → at token exchange sends the original verifier back. Without PKCE, an attacker who intercepts the code can mint an access_token.
Below: details, example, related terms, FAQ.
Free online tool — website security scanner: instant results, no signup.
code_verifier = base64url(random(32)) // "dBjftJeZ..."
code_challenge = base64url(sha256(code_verifier))
auth_url = authorize?client_id=X&code_challenge=CC&code_challenge_method=S256PKCE (Proof Key for Code Exchange) significantly enhances the security of OAuth 2.0 by addressing vulnerabilities associated with public clients. Traditional OAuth 2.0 relies on client secrets to secure authorization codes, which is not feasible for public clients like Single Page Applications (SPAs) or mobile apps. These environments cannot store secrets securely, making them susceptible to attacks.
PKCE mitigates this risk by introducing a dynamic mechanism for verifying the identity of the client during the token exchange process. The main components of PKCE are:
When a client requests an access token, it sends the previously generated code_verifier along with the authorization code. The authorization server then hashes this code_verifier and compares it with the original code_challenge. If they match, it confirms the client’s identity. This process prevents attackers from using intercepted authorization codes, as they would not possess the corresponding code_verifier.
In summary, PKCE transforms OAuth 2.0 from a vulnerable protocol into a more secure one, especially for public clients, by introducing a mechanism that ensures only the legitimate client can exchange the authorization code for an access token.
Implementing PKCE in your application involves a series of steps to ensure secure authorization code exchange. Below is a practical guide to implementing PKCE in a typical OAuth 2.0 flow:
const codeVerifier = generateRandomString(128);const codeChallenge = base64UrlEncode(sha256(codeVerifier));GET /authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&code_challenge=codeChallenge&code_challenge_method=S256POST /token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=AUTHORIZATION_CODE&redirect_uri=REDIRECT_URI&client_id=CLIENT_ID&code_verifier=codeVerifierBy following these steps, you can effectively implement PKCE in your application, enhancing its security against common attacks.
While PKCE is a robust security measure for OAuth 2.0, misconfigurations can still expose your application to vulnerabilities. Below are some common pitfalls and best practices to avoid them:
By being aware of these common misconfigurations and following best practices, you can effectively secure your implementation of PKCE and safeguard your application from potential threats.
The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.
Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.
TLS version, certificate expiry, chain of trust, HSTS support.
Finding exposed server versions, debug modes, open configs, and directories.
Detailed report explaining each issue with specific steps to fix it.
HTTP header audit
config verification
CSP & HSTS setup
compliance checks
Strict-Transport-Security.Server: Apache/2.4.52 helps attackers find exploits. Hide the version.DENY or SAMEORIGIN.nosniff, browsers may misinterpret file types (MIME sniffing).Content-Security-Policy-Report-Only, monitor violations, then enforce.Server, X-Powered-By, X-AspNet-Version from responses.Security check history and HTTP security header monitoring.
Sign up freeRecommended (OAuth 2.1 draft) but not required. For public clients (SPA, mobile) — mandatory.
All major ones: Google, GitHub, Microsoft, Auth0, Okta, Keycloak. Yandex OAuth since 2022.
S256 (SHA-256) only in production. Plain (verifier=challenge) is legacy and insecure.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.