AnsweredAssumed Answered

Securing LTI app communication after launch

Question asked by Zbynek Dusatko on Apr 23, 2018
Latest reply on May 9, 2019 by Peter Love


I was wondering if anybody has some input on best practices to secure tool provider after successful launch. I will have a rest api server (Java Spring with React.js) as a provider and I think it should create some web token (jwt or Spring might provide something already) for the current Canvas user and attach this web token with each http request in Authorization header. Since LTI was already successfully launched I assume I don't need another user login and this web token should be created automatically on providers server side. Basically how can I prevent middle man attack after LTI launch?