Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure your Web Application
Search
Dheeraj Joshi
July 16, 2016
Technology
0
6.5k
Secure your Web Application
Slides from my talk at JSChannel Conference 2016
Dheeraj Joshi
July 16, 2016
Tweet
Share
More Decks by Dheeraj Joshi
See All by Dheeraj Joshi
Beyond Scanning
djadmin
0
450
Let's talk Security
djadmin
0
7.4k
Other Decks in Technology
See All in Technology
Lazy application authentication with Tailscale
bluehatbrit
0
200
マーケットプレイス版Oracle WebCenter Content For OCI
oracle4engineer
PRO
3
960
United airlines®️ USA Contact Numbers: Complete 2025 Support Guide
unitedflyhelp
0
310
ネットワーク保護はどう変わるのか?re:Inforce 2025最新アップデート解説
tokushun
0
200
OSSのSNSツール「Misskey」をさわってみよう(右下ワイプで私のOSCの20年を振り返ります) / 20250705-osc2025-do
akkiesoft
0
160
生成AI開発案件におけるClineの業務活用事例とTips
shinya337
0
250
Oracle Database@Google Cloud:サービス概要のご紹介
oracle4engineer
PRO
0
110
ビズリーチが挑む メトリクスを活用した技術的負債の解消 / dev-productivity-con2025
visional_engineering_and_design
3
7.4k
AWS Organizations 新機能!マルチパーティ承認の紹介
yhana
1
280
Zero Data Loss Autonomous Recovery Service サービス概要
oracle4engineer
PRO
2
7.7k
ゼロからはじめる採用広報
yutadayo
3
910
Delta airlines®️ USA Contact Numbers: Complete 2025 Support Guide
airtravelguide
0
340
Featured
See All Featured
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.5k
How STYLIGHT went responsive
nonsquared
100
5.6k
For a Future-Friendly Web
brad_frost
179
9.8k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.5k
Designing for Performance
lara
610
69k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
VelocityConf: Rendering Performance Case Studies
addyosmani
332
24k
Site-Speed That Sticks
csswizardry
10
690
We Have a Design System, Now What?
morganepeng
53
7.7k
Music & Morning Musume
bryan
46
6.6k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.3k
Transcript
Let’s talk Security Secure your Web Application - Best Practices
Dheeraj Joshi @dheerajhere
• Front-End @ • Previously @ • Open Source (medium-cli)
• Ambidextrous TT Player About Me
More... I wear White Hat. Uber, CKEditor, Dropbox, MailChimp, Recruiterbox,
InVision, DigitalOcean, Intuit, Groupon, etc. What makes me happy?
Agenda • Why ? • Cross-site Scripting (XSS) • Cross-site
Request Forgery (CSRF) • Content Security Policy (CSP) • Useful Headers • Other Best Practices • Live Demo
Why should Startups Care about Security? Startups & SMEs are
known to cut corners. One of the first things they cut is ‘Security'.
None
Github Reused password attack
HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The
Shutdown
CROSS SITE SCRIPTING - XSS • XSS attack users •
“Javascript Injection” • Exploits can be bad, really bad..
What is XSS? Typical Reflected XSS
Stored XSS
DOM XSS
Protect Yourself • Input Validation • Ensure that outputs are
HTML encoded • Don’t reinvent the wheel (Use proven sanitizers) • Analyze places where DOM elements are created
ngBind attribute $sanitize - service in module ngSanitize Sanitizes an
html string by stripping all potentially dangerous tokens.
• Add HTTPOnly, Secure attributes on Session Cookie
CROSS-SITE REQUEST FORGERY (CSRF)
Because the attack is carried out by the victim, CSRF
can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks
Prevention
• Only accepting POST requests • Referer Protection • Multi-Step
Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work
XSS + CSRF =
Content Security Policy (CSP)
List of useful HTTP headers • Strict-Transport-Security: max-age=16070400; includeSubDomains •
X-Frame-Options: deny • X-XSS-Protection: 1; mode=block
Prevent Information Disclosure Hide X-Powered-By Or try this ;)
Target=”_blank” • Access `window.opener`. • Fix `rel=noopener`. (Firefox : rel=noreferrer)
• window.opener = null;
How to improve ? • SECURITY.md • Security audits •
Discuss Vulnerabilities
Show Time !
Thank you @dheerajhere @djadmin