Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure your Web Application

Avatar for Dheeraj Joshi Dheeraj Joshi
July 16, 2016
Technology
0
6.6k

Secure your Web Application

Slides from my talk at JSChannel Conference 2016

Avatar for Dheeraj Joshi

Dheeraj Joshi

July 16, 2016
Tweet

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
Beyond Scanning
Avatar for Dheeraj Joshi djadmin
0
480
Let's talk Security
Avatar for Dheeraj Joshi djadmin
0
7.6k

Other Decks in Technology

See All in Technology
顧客の言葉を、そのまま信じない勇気
Avatar for yamatai12 yamatai1212
1
350
生成AIを活用した音声文字起こしシステムの2つの構築パターンについて
Avatar for Kazuki Miura miu_crescent
PRO
1
160
GitLab Duo Agent Platform × AGENTS.md で実現するSpec-Driven Development / GitLab Duo Agent Platform × AGENTS.md
Avatar for Niishi Kubo n11sh1
0
130
外部キー制約の知っておいて欲しいこと - RDBMSを正しく使うために必要なこと / FOREIGN KEY Night
Avatar for soudai sone soudai
PRO
12
5.1k
AzureでのIaC - Bicep? Terraform? それ早く言ってよ会議
Avatar for Toru Makabe torumakabe
1
480
会社紹介資料 / Sansan Company Profile
Avatar for Sansan, Inc. sansan33
PRO
15
400k
データ民主化のための LLM 活用状況と課題紹介(IVRy の場合)
Avatar for 和田 悠佑 wxyzzz
2
690
2026年、サーバーレスの現在地 -「制約と戦う技術」から「当たり前の実行基盤」へ- /serverless2026
Avatar for Serverless Operations slsops
2
220
CDKで始めるTypeScript開発のススメ
Avatar for つくぼし tsukuboshi
1
360
GSIが複数キー対応したことで、俺達はいったい何が嬉しいのか?
Avatar for Makky12 smt7174
3
150
Bill One急成長の舞台裏 開発組織が直面した失敗と教訓
Avatar for SansanTech sansantech
PRO
2
320
Greatest Disaster Hits in Web Performance
Avatar for Estela Franco guaca
0
120

Featured

See All Featured
Music & Morning Musume
Avatar for Bryan Veloso bryan
47
7.1k
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
Avatar for Aleyda Solis aleyda
2
9.5k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
9
750
Introduction to Domain-Driven Design and Collaborative software design
Avatar for Kenny Baas-Schwegler baasie
1
580
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.8k
The Hidden Cost of Media on the Web [PixelPalooza 2025]
Avatar for Tammy Everts tammyeverts
2
180
Un-Boring Meetings
Avatar for Sebastian Deterding codingconduct
0
200
Designing Experiences People Love
Avatar for Jonathan Moore moore
144
24k
Bridging the Design Gap: How Collaborative Modelling removes blockers to flow between stakeholders and teams @FastFlow conf
Avatar for Kenny Baas-Schwegler baasie
0
450
Agile Leadership in an Agile Organization
Avatar for Dr. Kim W Petersen kimpetersen
PRO
0
79
The Organizational Zoo: Understanding Human Behavior Agility Through Metaphoric Constructive Conversations (based on the works of Arthur Shelley, Ph.D)
Avatar for Dr. Kim W Petersen kimpetersen
PRO
0
240
How Software Deployment tools have changed in the past 20 years
Avatar for Geshan Manandhar geshan
0
32k

Transcript

  1. Let’s talk Security Secure your Web Application - Best Practices

    Dheeraj Joshi @dheerajhere

  2. • Front-End @ • Previously @ • Open Source (medium-cli)

    • Ambidextrous TT Player About Me

  3. More... I wear White Hat. Uber, CKEditor, Dropbox, MailChimp, Recruiterbox,

    InVision, DigitalOcean, Intuit, Groupon, etc. What makes me happy?

  4. Agenda • Why ? • Cross-site Scripting (XSS) • Cross-site

    Request Forgery (CSRF) • Content Security Policy (CSP) • Useful Headers • Other Best Practices • Live Demo

  5. Why should Startups Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  6. None

  7. Github Reused password attack

  8. HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

    Shutdown

  9. CROSS SITE SCRIPTING - XSS • XSS attack users •

    “Javascript Injection” • Exploits can be bad, really bad..

  10. What is XSS? Typical Reflected XSS

  11. Stored XSS

  12. DOM XSS

  13. Protect Yourself • Input Validation • Ensure that outputs are

    HTML encoded • Don’t reinvent the wheel (Use proven sanitizers) • Analyze places where DOM elements are created

  14. ngBind attribute $sanitize - service in module ngSanitize Sanitizes an

    html string by stripping all potentially dangerous tokens.

  15. • Add HTTPOnly, Secure attributes on Session Cookie

  16. CROSS-SITE REQUEST FORGERY (CSRF)

  17. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks

  18. Prevention

  19. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work

  20. XSS + CSRF =

  21. Content Security Policy (CSP)

  22. List of useful HTTP headers • Strict-Transport-Security: max-age=16070400; includeSubDomains •

    X-Frame-Options: deny • X-XSS-Protection: 1; mode=block

  23. Prevent Information Disclosure Hide X-Powered-By Or try this ;)

  24. Target=”_blank” • Access `window.opener`. • Fix `rel=noopener`. (Firefox : rel=noreferrer)

    • window.opener = null;

  25. How to improve ? • SECURITY.md • Security audits •

    Discuss Vulnerabilities

  26. Show Time !

  27. Thank you @dheerajhere @djadmin