Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure your Web Application
Search
Dheeraj Joshi
July 16, 2016
Technology
0
6.6k
Secure your Web Application
Slides from my talk at JSChannel Conference 2016
Dheeraj Joshi
July 16, 2016
Tweet
Share
More Decks by Dheeraj Joshi
See All by Dheeraj Joshi
Beyond Scanning
djadmin
0
460
Let's talk Security
djadmin
0
7.5k
Other Decks in Technology
See All in Technology
BirdCLEF+2025 Noir 5位解法紹介
myso
0
200
AIが書いたコードをAIが検証する!自律的なモバイルアプリ開発の実現
henteko
1
350
GA technologiesでのAI-Readyの取り組み@DataOps Night
yuto16
0
270
SwiftUIのGeometryReaderとScrollViewを基礎から応用まで学び直す:設計と活用事例
fumiyasac0921
0
140
Escaping_the_Kraken_-_October_2025.pdf
mdalmijn
0
140
ACA でMAGI システムを社内で展開しようとした話
mappie_kochi
1
270
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
5.4k
LLMアプリケーション開発におけるセキュリティリスクと対策 / LLM Application Security
flatt_security
7
1.9k
20250929_QaaS_vol20
mura_shin
0
110
空間を設計する力を考える / 20251004 Naoki Takahashi
shift_evolve
PRO
3
360
リーダーになったら未来を語れるようになろう/Speak the Future
sanogemaru
0
280
研究開発部メンバーの働き⽅ / Sansan R&D Profile
sansan33
PRO
3
20k
Featured
See All Featured
Reflections from 52 weeks, 52 projects
jeffersonlam
352
21k
RailsConf 2023
tenderlove
30
1.2k
Building Flexible Design Systems
yeseniaperezcruz
329
39k
The Power of CSS Pseudo Elements
geoffreycrofte
79
6k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
48
9.7k
Fantastic passwords and where to find them - at NoRuKo
philnash
52
3.4k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
188
55k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.9k
Why You Should Never Use an ORM
jnunemaker
PRO
59
9.6k
Thoughts on Productivity
jonyablonski
70
4.9k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
34
6.1k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
657
61k
Transcript
Let’s talk Security Secure your Web Application - Best Practices
Dheeraj Joshi @dheerajhere
• Front-End @ • Previously @ • Open Source (medium-cli)
• Ambidextrous TT Player About Me
More... I wear White Hat. Uber, CKEditor, Dropbox, MailChimp, Recruiterbox,
InVision, DigitalOcean, Intuit, Groupon, etc. What makes me happy?
Agenda • Why ? • Cross-site Scripting (XSS) • Cross-site
Request Forgery (CSRF) • Content Security Policy (CSP) • Useful Headers • Other Best Practices • Live Demo
Why should Startups Care about Security? Startups & SMEs are
known to cut corners. One of the first things they cut is ‘Security'.
None
Github Reused password attack
HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The
Shutdown
CROSS SITE SCRIPTING - XSS • XSS attack users •
“Javascript Injection” • Exploits can be bad, really bad..
What is XSS? Typical Reflected XSS
Stored XSS
DOM XSS
Protect Yourself • Input Validation • Ensure that outputs are
HTML encoded • Don’t reinvent the wheel (Use proven sanitizers) • Analyze places where DOM elements are created
ngBind attribute $sanitize - service in module ngSanitize Sanitizes an
html string by stripping all potentially dangerous tokens.
• Add HTTPOnly, Secure attributes on Session Cookie
CROSS-SITE REQUEST FORGERY (CSRF)
Because the attack is carried out by the victim, CSRF
can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks
Prevention
• Only accepting POST requests • Referer Protection • Multi-Step
Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work
XSS + CSRF =
Content Security Policy (CSP)
List of useful HTTP headers • Strict-Transport-Security: max-age=16070400; includeSubDomains •
X-Frame-Options: deny • X-XSS-Protection: 1; mode=block
Prevent Information Disclosure Hide X-Powered-By Or try this ;)
Target=”_blank” • Access `window.opener`. • Fix `rel=noopener`. (Firefox : rel=noreferrer)
• window.opener = null;
How to improve ? • SECURITY.md • Security audits •
Discuss Vulnerabilities
Show Time !
Thank you @dheerajhere @djadmin