Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure your Web Application
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Dheeraj Joshi
July 16, 2016
Technology
6.7k
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Secure your Web Application
Slides from my talk at JSChannel Conference 2016
Dheeraj Joshi
July 16, 2016
More Decks by Dheeraj Joshi
See All by Dheeraj Joshi
Beyond Scanning
djadmin
0
500
Let's talk Security
djadmin
0
7.7k
Other Decks in Technology
See All in Technology
Fabricをフル活用する AI Agent Hub -製造業特化AIエージェントの設計
iotcomjpadmin
0
150
作る力から、見極める力へ — AI時代に広がるエンジニアの価値と役割
rince
0
360
MySQL & MySQL HeatWave Report - June 2026
freshdaz
0
180
Hatena Engineer Seminar 37 jj1uzh
jj1uzh
0
120
AI時代のコスト管理を考えよう〜明日から使える実践AWSノウハウ~
yoshimi0227
0
930
AI-DLCを “そのまま導入しなかった”話 ~組織に合わせてアジャストした 私たちの実践共有~
hiroramos4
PRO
1
440
從觀望到全公司落地:AI Agentic Coding 導入實戰 — 流程整合與安全治理
appleboy
0
130
iOS アプリの「これって不具合ですか?」を AI に調べてもらう
miichan
0
150
When Platform Engineering Meets GenAI
sucitw
0
200
AIエージェントとPhysical AIが拓く製造業の変革(ハノーバーメッセリキャップ)
iotcomjpadmin
0
160
螺旋型キャリアの生存戦略 / kinoko-conf2026
rakus_dev
1
1.2k
FPGAの開発コンペでZephyrを使ってみた
iotengineer22
0
210
Featured
See All Featured
VelocityConf: Rendering Performance Case Studies
addyosmani
333
25k
The Illustrated Guide to Node.js - THAT Conference 2024
reverentgeek
1
400
From Legacy to Launchpad: Building Startup-Ready Communities
dugsong
0
240
4 Signs Your Business is Dying
shpigford
187
22k
Facilitating Awesome Meetings
lara
57
7k
Believing is Seeing
oripsolob
1
150
How to Align SEO within the Product Triangle To Get Buy-In & Support - #RIMC
aleyda
2
1.6k
The Director’s Chair: Orchestrating AI for Truly Effective Learning
tmiket
1
200
A Tale of Four Properties
chriscoyier
163
24k
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
helenjbeal
1
220
Dominate Local Search Results - an insider guide to GBP, reviews, and Local SEO
greggifford
PRO
0
200
Unlocking the hidden potential of vector embeddings in international SEO
frankvandijk
0
850
Transcript
Let’s talk Security Secure your Web Application - Best Practices
Dheeraj Joshi @dheerajhere
• Front-End @ • Previously @ • Open Source (medium-cli)
• Ambidextrous TT Player About Me
More... I wear White Hat. Uber, CKEditor, Dropbox, MailChimp, Recruiterbox,
InVision, DigitalOcean, Intuit, Groupon, etc. What makes me happy?
Agenda • Why ? • Cross-site Scripting (XSS) • Cross-site
Request Forgery (CSRF) • Content Security Policy (CSP) • Useful Headers • Other Best Practices • Live Demo
Why should Startups Care about Security? Startups & SMEs are
known to cut corners. One of the first things they cut is ‘Security'.
None
Github Reused password attack
HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The
Shutdown
CROSS SITE SCRIPTING - XSS • XSS attack users •
“Javascript Injection” • Exploits can be bad, really bad..
What is XSS? Typical Reflected XSS
Stored XSS
DOM XSS
Protect Yourself • Input Validation • Ensure that outputs are
HTML encoded • Don’t reinvent the wheel (Use proven sanitizers) • Analyze places where DOM elements are created
ngBind attribute $sanitize - service in module ngSanitize Sanitizes an
html string by stripping all potentially dangerous tokens.
• Add HTTPOnly, Secure attributes on Session Cookie
CROSS-SITE REQUEST FORGERY (CSRF)
Because the attack is carried out by the victim, CSRF
can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks
Prevention
• Only accepting POST requests • Referer Protection • Multi-Step
Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work
XSS + CSRF =
Content Security Policy (CSP)
List of useful HTTP headers • Strict-Transport-Security: max-age=16070400; includeSubDomains •
X-Frame-Options: deny • X-XSS-Protection: 1; mode=block
Prevent Information Disclosure Hide X-Powered-By Or try this ;)
Target=”_blank” • Access `window.opener`. • Fix `rel=noopener`. (Firefox : rel=noreferrer)
• window.opener = null;
How to improve ? • SECURITY.md • Security audits •
Discuss Vulnerabilities
Show Time !
Thank you @dheerajhere @djadmin