Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Secure your Web Application

Avatar for Dheeraj Joshi Dheeraj Joshi
July 16, 2016
Technology
0
6.6k

Secure your Web Application

Slides from my talk at JSChannel Conference 2016

Avatar for Dheeraj Joshi

Dheeraj Joshi

July 16, 2016
Tweet

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
Beyond Scanning
Avatar for Dheeraj Joshi djadmin
0
470
Let's talk Security
Avatar for Dheeraj Joshi djadmin
0
7.5k

Other Decks in Technology

See All in Technology
Playwrightのソースコードに見る、自動テストを自動で書く技術
Avatar for Yusuke Iwaki yusukeiwaki
13
4.8k
法人支出管理領域におけるソフトウェアアーキテクチャに基づいたテスト戦略の実践
Avatar for ogugu ogugu9
1
210
技術以外の世界に『越境』しエンジニアとして進化を遂げる 〜Kotlinへの愛とDevHRとしての挑戦を添えて〜
Avatar for subroh_0508 subroh0508
1
380
Challenging Hardware Contests with Zephyr and Lessons Learned
Avatar for misoji engineer iotengineer22
0
120
「Managed Instances」と「durable functions」で広がるAWS Lambdaのユースケース
Avatar for Lamaglama39 lamaglama39
0
260
[CMU-DB-2025FALL] Apache Fluss - A Streaming Storage for Real-Time Lakehouse
Avatar for Jark Wu jark
0
110
【AWS re:Invent 2025速報】AIビルダー向けアップデートをまとめて解説!
Avatar for みのるん minorun365
4
470
re:Invent 2025 ふりかえり 生成AI版
Avatar for TakaakiKakei takaakikakei
1
180
小さな判断で育つ、大きな意思決定力 / 20251204 Takahiro Kinjo
Avatar for SHIFT EVOLVE shift_evolve
PRO
1
580
形式手法特論:CEGAR を用いたモデル検査の状態空間削減 #kernelvm / Kernel VM Study Hokuriku Part 8
Avatar for y_taka_23 ytaka23
2
440
eBPFとwaruiBPF
Avatar for Satoru Takeuchi sat
PRO
4
2.5k
AWS re:Invent 2025で見たGrafana最新機能の紹介
Avatar for 濱田孝治 hamadakoji
0
130

Featured

See All Featured
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.5k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
46
7.8k
Embracing the Ebb and Flow
Avatar for Simon Collison colly
88
4.9k
The Psychology of Web Performance [Beyond Tellerrand 2023]
Avatar for Tammy Everts tammyeverts
49
3.2k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
2.9k
Six Lessons from altMBA
Avatar for Skipper Chong Warson skipperchong
29
4.1k
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
54k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
127
17k
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
234
18k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
37
2.6k
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
55
9.3k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
35
2.3k

Transcript

  1. Let’s talk Security Secure your Web Application - Best Practices

    Dheeraj Joshi @dheerajhere

  2. • Front-End @ • Previously @ • Open Source (medium-cli)

    • Ambidextrous TT Player About Me

  3. More... I wear White Hat. Uber, CKEditor, Dropbox, MailChimp, Recruiterbox,

    InVision, DigitalOcean, Intuit, Groupon, etc. What makes me happy?

  4. Agenda • Why ? • Cross-site Scripting (XSS) • Cross-site

    Request Forgery (CSRF) • Content Security Policy (CSP) • Useful Headers • Other Best Practices • Live Demo

  5. Why should Startups Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  6. None

  7. Github Reused password attack

  8. HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

    Shutdown

  9. CROSS SITE SCRIPTING - XSS • XSS attack users •

    “Javascript Injection” • Exploits can be bad, really bad..

  10. What is XSS? Typical Reflected XSS

  11. Stored XSS

  12. DOM XSS

  13. Protect Yourself • Input Validation • Ensure that outputs are

    HTML encoded • Don’t reinvent the wheel (Use proven sanitizers) • Analyze places where DOM elements are created

  14. ngBind attribute $sanitize - service in module ngSanitize Sanitizes an

    html string by stripping all potentially dangerous tokens.

  15. • Add HTTPOnly, Secure attributes on Session Cookie

  16. CROSS-SITE REQUEST FORGERY (CSRF)

  17. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks

  18. Prevention

  19. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work

  20. XSS + CSRF =

  21. Content Security Policy (CSP)

  22. List of useful HTTP headers • Strict-Transport-Security: max-age=16070400; includeSubDomains •

    X-Frame-Options: deny • X-XSS-Protection: 1; mode=block

  23. Prevent Information Disclosure Hide X-Powered-By Or try this ;)

  24. Target=”_blank” • Access `window.opener`. • Fix `rel=noopener`. (Firefox : rel=noreferrer)

    • window.opener = null;

  25. How to improve ? • SECURITY.md • Security audits •

    Discuss Vulnerabilities

  26. Show Time !

  27. Thank you @dheerajhere @djadmin