Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure your Web Application

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for Dheeraj Joshi Dheeraj Joshi
July 16, 2016
Technology
6.7k
0

Secure your Web Application

Slides from my talk at JSChannel Conference 2016

Avatar for Dheeraj Joshi

Dheeraj Joshi

July 16, 2016

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
Beyond Scanning
Avatar for Dheeraj Joshi djadmin
0
500
Let's talk Security
Avatar for Dheeraj Joshi djadmin
0
7.6k

Other Decks in Technology

See All in Technology
価格.comをAI駆動で全面刷新する ー 30年分の技術的負債を返し、次の30年の土台をつくる ー
Avatar for tkyowa tkyowa
0
220
Generative UI × A2UI で AI エージェントを作った話 AI-DLC も使ってみた!
Avatar for たけのこ kmiya84377
1
300
AI駆動開発でなんでもハンズオン環境をつくってみた
Avatar for yoshimi0227 yoshimi0227
0
190
【Gen-AX】20260530開催_JJUG CCC 2026 Spring
Avatar for Gen-AX株式会社 genax
0
310
AI フレンドリーなエラー監視を TypeScript で実現する
Avatar for Shinobu Hayashi shinyaigeek
2
210
Cloud Run のアップデート 触ってみる&紹介
Avatar for Gre212 gre212
0
290
AI駆動開発が変える、大規模開発の前提 ーHuman in the Loop から Human on the Loop へ / AIE2026
Avatar for Visional Engineering & Design visional_engineering_and_design
2
690
oracle-to-databricks-migration-with-llm-and-dbt
Avatar for case-k-git casek
1
400
先取りMaven4 ~16年ぶりのメジャーアップデート、その進化とは?~
Avatar for 荻原利雄 ogiwarat
0
120
実装は速くなった、レビューはどうする? ― 自身のレビューをAIで再現させるサーヴァントエンジニアリングのすゝめ / Implementation got faster. So what about reviews? — An invitation to Servant Engineering: Recreating your own code reviews with AI
Avatar for nrs nrslib
2
630
BigQuery の Cross-cloud Lakehouse への歩み
Avatar for Tomonori Hayashi / ぴーはや phaya72
2
330
自称宇宙最速で不合格となったAIP-C01にリベンジを果たすべくAIで問題集アプリを作ってみた。
Avatar for Yuuki Yamashita yama3133
0
260

Featured

See All Featured
A Guide to Academic Writing Using Generative AI - A Workshop
Avatar for Kenji Saito ks91
PRO
1
310
16th Malabo Montpellier Forum Presentation
Avatar for AKADEMIYA2063 akademiya2063
PRO
0
140
How Fast Is Fast Enough? [PerfNow 2025]
Avatar for Tammy Everts tammyeverts
3
590
Discover your Explorer Soul
Avatar for Emna emna__ayadi
2
1.1k
Kristin Tynski - Automating Marketing Tasks With AI
Avatar for Tech SEO Connect techseoconnect
PRO
0
260
Agile Leadership in an Agile Organization
Avatar for Dr. Kim W Petersen kimpetersen
PRO
0
160
Marketing to machines
Avatar for Jono Alderson jonoalderson
1
5.3k
Ruling the World: When Life Gets Gamed
Avatar for Sebastian Deterding codingconduct
0
240
Ecommerce SEO: The Keys for Success Now & Beyond - #SERPConf2024
Avatar for Aleyda Solis aleyda
1
2k
Google's AI Overviews - The New Search
Avatar for Barry Adams badams
0
1k
Mind Mapping
Avatar for Hélio Medeiros helmedeiros
PRO
1
220
Beyond borders and beyond the search box: How to win the global "messy middle" with AI-driven SEO
Avatar for David Carrasco davidcarrasco
3
150

Transcript

  1. Let’s talk Security Secure your Web Application - Best Practices

    Dheeraj Joshi @dheerajhere

  2. • Front-End @ • Previously @ • Open Source (medium-cli)

    • Ambidextrous TT Player About Me

  3. More... I wear White Hat. Uber, CKEditor, Dropbox, MailChimp, Recruiterbox,

    InVision, DigitalOcean, Intuit, Groupon, etc. What makes me happy?

  4. Agenda • Why ? • Cross-site Scripting (XSS) • Cross-site

    Request Forgery (CSRF) • Content Security Policy (CSP) • Useful Headers • Other Best Practices • Live Demo

  5. Why should Startups Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  6. None

  7. Github Reused password attack

  8. HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

    Shutdown

  9. CROSS SITE SCRIPTING - XSS • XSS attack users •

    “Javascript Injection” • Exploits can be bad, really bad..

  10. What is XSS? Typical Reflected XSS

  11. Stored XSS

  12. DOM XSS

  13. Protect Yourself • Input Validation • Ensure that outputs are

    HTML encoded • Don’t reinvent the wheel (Use proven sanitizers) • Analyze places where DOM elements are created

  14. ngBind attribute $sanitize - service in module ngSanitize Sanitizes an

    html string by stripping all potentially dangerous tokens.

  15. • Add HTTPOnly, Secure attributes on Session Cookie

  16. CROSS-SITE REQUEST FORGERY (CSRF)

  17. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks

  18. Prevention

  19. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work

  20. XSS + CSRF =

  21. Content Security Policy (CSP)

  22. List of useful HTTP headers • Strict-Transport-Security: max-age=16070400; includeSubDomains •

    X-Frame-Options: deny • X-XSS-Protection: 1; mode=block

  23. Prevent Information Disclosure Hide X-Powered-By Or try this ;)

  24. Target=”_blank” • Access `window.opener`. • Fix `rel=noopener`. (Firefox : rel=noreferrer)

    • window.opener = null;

  25. How to improve ? • SECURITY.md • Security audits •

    Discuss Vulnerabilities

  26. Show Time !

  27. Thank you @dheerajhere @djadmin