HTML5 has changed the way we build and deploy code on the web, moving much of an application's logic from the server down to a user's browser, caching data locally via storage APIs, and delivering exciting experiences without touching the network. This has excellent effects on both speed and availability, but makes it more critical than ever to practice what we preach in terms of security best practices. This talk will outline some of the ways in which you can mitigate the effects of cross-site scripting and other attacks, ranging all the way from practical use of Content Security Policy to properly sandboxing user-generated content.