DBSC demo — Device Bound Session Credentials

What an integration needs

HTTPS / secure context

Endpoint that verifies registration JWT & pins public key

Bound cookie with short Max-Age

Refresh endpoint with challenge / response

Server-side JWK storage + signature verification

Session scope (origin / include_site / exclude rules)

Session termination & key revocation (left as TODO)

Graceful degradation when DBSC unsupported

Walkthrough

Demonstrate the security properties by simulating attacks against this same session.

Bound cookie

Cookie version —

Session id —

Cookie Max-Age left —

Next rotation in —

no key pinned yet

Polled from /api/whoami — proves the cookie value the server is actually receiving from the browser.

last polled: —

Each entry is something the server saw or did. Annotated with the DBSC concept it maps to.