Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure your Web Application

Dheeraj Joshi
July 16, 2016
Technology
0
6.4k

Secure your Web Application

Slides from my talk at JSChannel Conference 2016

Dheeraj Joshi

July 16, 2016
Tweet

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
Beyond Scanning
djadmin
0
440
Let's talk Security
djadmin
0
7.4k

Other Decks in Technology

See All in Technology
2025/3/1 公共交通オープンデータデイ2025
morohoshi
0
120
Ruby on Railsで持続可能な開発を行うために取り組んでいること
am1157154
3
180
「頑張る」を「楽しむ」に変換する技術
tomoyakitaura
2
760
マルチアカウント環境における組織ポリシーについて まとめてみる
nrinetcom
PRO
2
110
MIMEと文字コードの闇
hirachan
2
1.5k
開発者体験を定量的に把握する手法と活用事例
ham0215
0
150
OSSの実装を参考にBedrockエージェントを作る
moritalous
2
130
貧民的プログラミングのすすめ
kakehashi
PRO
2
230
人生を左右する「即答」のススメ: 一瞬の判断を間違えないためにするべきこと
takasyou
7
880
【Snowflake九州ユーザー会#2】BigQueryとSnowflakeを比較してそれぞれの良し悪しを掴む / BigQuery vs Snowflake: Pros & Cons
civitaspo
4
1.5k
開発者のための FinOps/FinOps for Engineers
oracle4engineer
PRO
2
280
MLflowはどのようにLLMOpsの課題を解決するのか
taka_aki
0
160

Featured

See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.7k
[RailsConf 2023] Rails as a piece of cake
palkan
53
5.3k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.3k
BBQ
matthewcrist
87
9.5k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.5k
Designing for humans not robots
tammielis
250
25k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
33
2.8k
Product Roadmaps are Hard
iamctodd
PRO
51
11k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Statistics for Hackers
jakevdp
797
220k
Why Our Code Smells
bkeepers
PRO
336
57k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
2.1k

Transcript

  1. Let’s talk Security Secure your Web Application - Best Practices

    Dheeraj Joshi @dheerajhere

  2. • Front-End @ • Previously @ • Open Source (medium-cli)

    • Ambidextrous TT Player About Me

  3. More... I wear White Hat. Uber, CKEditor, Dropbox, MailChimp, Recruiterbox,

    InVision, DigitalOcean, Intuit, Groupon, etc. What makes me happy?

  4. Agenda • Why ? • Cross-site Scripting (XSS) • Cross-site

    Request Forgery (CSRF) • Content Security Policy (CSP) • Useful Headers • Other Best Practices • Live Demo

  5. Why should Startups Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  6. None

  7. Github Reused password attack

  8. HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

    Shutdown

  9. CROSS SITE SCRIPTING - XSS • XSS attack users •

    “Javascript Injection” • Exploits can be bad, really bad..

  10. What is XSS? Typical Reflected XSS

  11. Stored XSS

  12. DOM XSS

  13. Protect Yourself • Input Validation • Ensure that outputs are

    HTML encoded • Don’t reinvent the wheel (Use proven sanitizers) • Analyze places where DOM elements are created

  14. ngBind attribute $sanitize - service in module ngSanitize Sanitizes an

    html string by stripping all potentially dangerous tokens.

  15. • Add HTTPOnly, Secure attributes on Session Cookie

  16. CROSS-SITE REQUEST FORGERY (CSRF)

  17. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks

  18. Prevention

  19. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work

  20. XSS + CSRF =

  21. Content Security Policy (CSP)

  22. List of useful HTTP headers • Strict-Transport-Security: max-age=16070400; includeSubDomains •

    X-Frame-Options: deny • X-XSS-Protection: 1; mode=block

  23. Prevent Information Disclosure Hide X-Powered-By Or try this ;)

  24. Target=”_blank” • Access `window.opener`. • Fix `rel=noopener`. (Firefox : rel=noreferrer)

    • window.opener = null;

  25. How to improve ? • SECURITY.md • Security audits •

    Discuss Vulnerabilities

  26. Show Time !

  27. Thank you @dheerajhere @djadmin