Realistic Express app — signup, login, sessions, and one route gated on hardware-bound DBSC.
Standard username + password. Hashed with bcrypt. Sets a normal demo.sid session cookie.
After signing up, click Log in to activate the hardware-bound DBSC binding. Signup alone does not trigger DBSC — bindSession() runs in the login route after password verification, which mirrors how a real app behaves when it requires explicit credential proof before binding to the device.
/me works for any logged-in user (does NOT require DBSC). Shows your app session id + the DBSC tier the browser reached.
On Chromium 145+ this session is hardware-bound via native DBSC. On other browsers a silent Web Crypto polyfill kicks in within ~3 seconds of login. Either way, tier !== "none" is the gate to use for routes that need binding.
/profile is gated strictly on tier === "dbsc" — use this for actions where you want the TPM-backed guarantee specifically.
/profile-soft accepts "dbsc" or "bound" — both deliver cryptographic refresh signing.
/profile-strict demands X-Dbsc-Bound-Proof on tier=bound requests. The first button uses wrapFetch to sign automatically; the second deliberately omits it to demonstrate the rejection an attacker would hit with a stolen cookie.
(output will appear here)
Open DevTools console for full request/response logs. Live server log stream below mirrors every request.