Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure your Web Application
Search
Dheeraj Joshi
July 16, 2016
Technology
0
6.5k
Secure your Web Application
Slides from my talk at JSChannel Conference 2016
Dheeraj Joshi
July 16, 2016
Tweet
Share
More Decks by Dheeraj Joshi
See All by Dheeraj Joshi
Beyond Scanning
djadmin
0
450
Let's talk Security
djadmin
0
7.4k
Other Decks in Technology
See All in Technology
ガバクラのAWS長期継続割引 ~次の4/1に慌てないために~
hamijay_cloud
1
560
ビジネスとデザインとエンジニアリングを繋ぐために 一人のエンジニアは何ができるか / What can a single engineer do to connect business, design, and engineering?
kaminashi
2
860
Gateway H2 モジュールで スマートホーム入門
minoruinachi
0
110
2025-04-24 "Manga AI Understanding & Localization" Furukawa Arata (CyberAgent, Inc)
ornew
2
310
ドキュメント管理の理想と現実
kazuhe
1
300
コスト最適重視でAurora PostgreSQLのログ分析基盤を作ってみた #jawsug_tokyo
non97
1
830
OPENLOGI Company Profile for engineer
hr01
1
25k
AZ 名とAZ ID の違いを 何度でも言うよ
miu_crescent
PRO
0
110
勝手に!深堀り!Cloud Run worker pools / Deep dive Cloud Run worker pools
iselegant
4
590
Microsoft Fabric vs Databricks vs (Snowflake) -若手エンジニアがそれぞれの強みと違いを比較してみた- "A Young Engineer's Comparison of Their Strengths and Differences"
reireireijinjin6
1
120
Conquering PDFs: document understanding beyond plain text
inesmontani
PRO
2
420
AWSの新機能検証をやる時こそ、Amazon Qでプロンプトエンジニアリングを駆使しよう
duelist2020jp
1
320
Featured
See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
32
5.4k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
Rails Girls Zürich Keynote
gr2m
94
13k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
23
2.7k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
The Power of CSS Pseudo Elements
geoffreycrofte
75
5.8k
Stop Working from a Prison Cell
hatefulcrawdad
268
20k
Become a Pro
speakerdeck
PRO
28
5.3k
Visualization
eitanlees
146
16k
GitHub's CSS Performance
jonrohan
1030
460k
BBQ
matthewcrist
88
9.6k
Transcript
Let’s talk Security Secure your Web Application - Best Practices
Dheeraj Joshi @dheerajhere
• Front-End @ • Previously @ • Open Source (medium-cli)
• Ambidextrous TT Player About Me
More... I wear White Hat. Uber, CKEditor, Dropbox, MailChimp, Recruiterbox,
InVision, DigitalOcean, Intuit, Groupon, etc. What makes me happy?
Agenda • Why ? • Cross-site Scripting (XSS) • Cross-site
Request Forgery (CSRF) • Content Security Policy (CSP) • Useful Headers • Other Best Practices • Live Demo
Why should Startups Care about Security? Startups & SMEs are
known to cut corners. One of the first things they cut is ‘Security'.
None
Github Reused password attack
HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The
Shutdown
CROSS SITE SCRIPTING - XSS • XSS attack users •
“Javascript Injection” • Exploits can be bad, really bad..
What is XSS? Typical Reflected XSS
Stored XSS
DOM XSS
Protect Yourself • Input Validation • Ensure that outputs are
HTML encoded • Don’t reinvent the wheel (Use proven sanitizers) • Analyze places where DOM elements are created
ngBind attribute $sanitize - service in module ngSanitize Sanitizes an
html string by stripping all potentially dangerous tokens.
• Add HTTPOnly, Secure attributes on Session Cookie
CROSS-SITE REQUEST FORGERY (CSRF)
Because the attack is carried out by the victim, CSRF
can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks
Prevention
• Only accepting POST requests • Referer Protection • Multi-Step
Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work
XSS + CSRF =
Content Security Policy (CSP)
List of useful HTTP headers • Strict-Transport-Security: max-age=16070400; includeSubDomains •
X-Frame-Options: deny • X-XSS-Protection: 1; mode=block
Prevent Information Disclosure Hide X-Powered-By Or try this ;)
Target=”_blank” • Access `window.opener`. • Fix `rel=noopener`. (Firefox : rel=noreferrer)
• window.opener = null;
How to improve ? • SECURITY.md • Security audits •
Discuss Vulnerabilities
Show Time !
Thank you @dheerajhere @djadmin