🔌 Protected API Endpoints
Test authenticated endpoints using your session cookies
📋 API Endpoint Reference
Protected Endpoints (Require Auth)
GET /api/protected -
Example protected endpoint
GET /api/users/me -
Get current user from database
GET /api/userinfo -
Get user info from ZITADEL
POST
/v1/security/refresh-token - Refresh access token
POST
/v1/security/logout - Logout and clear session
Public Endpoints
GET /health - System
health check
GET
/v1/security/is-authorized - Check authorization status
🔄 Loading WAF configuration...
🛡️ WAF Protection Demo
Test Coraza WAF detection by attempting malicious requests:
📊 Security Architecture
Request Flow:
Browser → Coraza WAF (Detects & Blocks Threats) → NGINX Reverse
Proxy → ZITADEL (OAuth2/OIDC) → Go Application API → PostgreSQL
Security Features:
• OWASP ModSecurity Core Rule Set (CRS)
• JWT Token Validation
• HTTP-Only Secure Cookies
• CSRF Protection (SameSite=Strict)
• Session Version Control
• Multi-Tenant Data Isolation
🔐 OAuth2/OIDC Authentication Flow
Complete Registration & Login Flow
1. User Registration → ZITADEL (email +
password + passkey MFA)
2. OAuth2 Authorization → PKCE flow initiated
with code_challenge
3. Token Exchange → Authorization code →
Access + Refresh tokens
4. Session Establishment → POST
/v1/security/set-token-cookie
5. Secure Cookies Set → HttpOnly + Secure +
SameSite=Strict
6. Authenticated Access → All API calls use
session cookies
👤 Current Session Information
🍪 Session Security Details
🔑 Token Management