Slides from my talk at JSChannel Conference 2016
Let’s talk SecuritySecure your Web Application - Best PracticesDheeraj Joshi@dheerajhere
View Slide
● Front-End @● Previously @● Open Source (medium-cli)● Ambidextrous TT PlayerAbout Me
More...I wear White Hat.Uber, CKEditor, Dropbox,MailChimp, Recruiterbox, InVision,DigitalOcean, Intuit, Groupon, etc.What makes me happy?
Agenda● Why ?● Cross-site Scripting (XSS)● Cross-site Request Forgery (CSRF)● Content Security Policy (CSP)● Useful Headers● Other Best Practices● Live Demo
Why should StartupsCare about Security?Startups & SMEs are known to cutcorners. One of the first things theycut is ‘Security'.
GithubReused password attack
HACKER PUTS HOSTING SERVICE “CODESPACES” OUT OF BUSINESSThe Shutdown
CROSS SITE SCRIPTING - XSS● XSS attack users● “Javascript Injection”● Exploits can be bad,really bad..
What is XSS?Typical Reflected XSS
Stored XSS
DOM XSS
Protect Yourself● Input Validation● Ensure that outputs are HTMLencoded● Don’t reinvent the wheel (Useproven sanitizers)● Analyze places where DOMelements are created
ngBind attribute$sanitize - service in module ngSanitizeSanitizes an html string by stripping all potentially dangeroustokens.
● Add HTTPOnly, Secure attributes on SessionCookie
CROSS-SITE REQUESTFORGERY (CSRF)
Because the attack is carried outby the victim, CSRF can bypass:● HTTP Auth● Session-based auth● FirewallsCSRF Attacks
Prevention
● Only accepting POST requests● Referer Protection● Multi-Step Transactions● URL Rewriting● application/json“CSRF Myths”Preventions that Won’t work
XSS + CSRF =
Content Security Policy (CSP)
List of useful HTTP headers● Strict-Transport-Security:max-age=16070400; includeSubDomains● X-Frame-Options: deny● X-XSS-Protection: 1; mode=block
Prevent Information DisclosureHide X-Powered-ByOr try this ;)
Target=”_blank”● Access `window.opener`.● Fix `rel=noopener`.(Firefox : rel=noreferrer)● window.opener = null;
How to improve ?● SECURITY.md● Security audits● Discuss Vulnerabilities
Show Time !
Thank you@dheerajhere@djadmin