Authorization determines what the authenticated identity can do and the resources that can be accessed. Improper or weak authorization leads to information disclosure and data tampering. Defense in depth is the key security principle to apply to your application’s authorization strategy.
The following practices improve your Web application’s authorization:
Use multiple gatekeepers.
Restrict user access to system-level resources.
Consider authorization granularity.
On the server side, you can use IP Security Protocol (IPSec) policies to provide host restrictions to restrict server-to-server communication. For example, an IPSec policy might restrict any host apart from a nominated Web server from connecting to a ...