Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure your Web Application
Search
Dheeraj Joshi
July 16, 2016
Technology
0
6.4k
Secure your Web Application
Slides from my talk at JSChannel Conference 2016
Dheeraj Joshi
July 16, 2016
Tweet
Share
More Decks by Dheeraj Joshi
See All by Dheeraj Joshi
Beyond Scanning
djadmin
0
390
Let's talk Security
djadmin
0
7.3k
Other Decks in Technology
See All in Technology
Datadog Cloud SIEMを使ってAWS環境の脅威を可視化した話/lifeistech-datadog-cloud-siem
gidajun
0
480
楽しくGoを学び合う、LayerXの勉強会文化 / LayerX's study culture of having fun and learning Go together
ar_tama
2
350
Azure OpenAI Service Dev Day / LLMでできる!使える!生成AIエージェント
masahiro_nishimi
3
740
エンジニアリングマネージャーはどう学んでいくのか #devsumi / How Do Engineering Managers Continue to Learn and Grow?
expajp
4
1.3k
AWSサービスメニュー開発をしていてAWSを好きだ!と感じた瞬間
toru_kubota
0
130
エンジニアの生存戦略 〜クラウド潮流の経験から紐解く技術トレンドのメカニズムと乗りこなし方〜
shimy
9
1.9k
累計ダウンロード数1億8000万を超えるアプリケーションプラットフォームのレガシーシステム脱却とモダン化への道
kmitsuhashi
0
120
コンテナ・K8s研修 - 前半 コンテナ基礎・ハンズオン【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
170
Github Actions 로 Android 팀의 효율성 극대화
hadonghyun
0
160
AIアシスタントの活用で品質の向上と開発ワークフローのスピードアップ
nagix
1
190
データベース研修 DB基礎【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
210
年間一億円削減した時系列データベースのアーキテクチャ改善~不確実性の高いプロジェクトへの挑戦~
lycorptech_jp
PRO
3
2.9k
Featured
See All Featured
What's in a price? How to price your products and services
michaelherold
239
11k
Adopting Sorbet at Scale
ufuk
71
8.8k
Build The Right Thing And Hit Your Dates
maggiecrowley
28
2.2k
Design by the Numbers
sachag
277
18k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
No one is an island. Learnings from fostering a developers community.
thoeni
17
2.8k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
277
13k
Building Adaptive Systems
keathley
34
2k
The MySQL Ecosystem @ GitHub 2015
samlambert
248
12k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
105
6.8k
Become a Pro
speakerdeck
PRO
15
4.8k
A Philosophy of Restraint
colly
200
16k
Transcript
Let’s talk Security Secure your Web Application - Best Practices
Dheeraj Joshi @dheerajhere
• Front-End @ • Previously @ • Open Source (medium-cli)
• Ambidextrous TT Player About Me
More... I wear White Hat. Uber, CKEditor, Dropbox, MailChimp, Recruiterbox,
InVision, DigitalOcean, Intuit, Groupon, etc. What makes me happy?
Agenda • Why ? • Cross-site Scripting (XSS) • Cross-site
Request Forgery (CSRF) • Content Security Policy (CSP) • Useful Headers • Other Best Practices • Live Demo
Why should Startups Care about Security? Startups & SMEs are
known to cut corners. One of the first things they cut is ‘Security'.
None
Github Reused password attack
HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The
Shutdown
CROSS SITE SCRIPTING - XSS • XSS attack users •
“Javascript Injection” • Exploits can be bad, really bad..
What is XSS? Typical Reflected XSS
Stored XSS
DOM XSS
Protect Yourself • Input Validation • Ensure that outputs are
HTML encoded • Don’t reinvent the wheel (Use proven sanitizers) • Analyze places where DOM elements are created
ngBind attribute $sanitize - service in module ngSanitize Sanitizes an
html string by stripping all potentially dangerous tokens.
• Add HTTPOnly, Secure attributes on Session Cookie
CROSS-SITE REQUEST FORGERY (CSRF)
Because the attack is carried out by the victim, CSRF
can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks
Prevention
• Only accepting POST requests • Referer Protection • Multi-Step
Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work
XSS + CSRF =
Content Security Policy (CSP)
List of useful HTTP headers • Strict-Transport-Security: max-age=16070400; includeSubDomains •
X-Frame-Options: deny • X-XSS-Protection: 1; mode=block
Prevent Information Disclosure Hide X-Powered-By Or try this ;)
Target=”_blank” • Access `window.opener`. • Fix `rel=noopener`. (Firefox : rel=noreferrer)
• window.opener = null;
How to improve ? • SECURITY.md • Security audits •
Discuss Vulnerabilities
Show Time !
Thank you @dheerajhere @djadmin