Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Securing Single Page Applications
Search
Zakiullah Khan
December 07, 2014
Programming
390
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Securing Single Page Applications
Slide deck used for recent presentation at Hydeabad's AngularJS User Group meetup.
Zakiullah Khan
December 07, 2014
More Decks by Zakiullah Khan
See All by Zakiullah Khan
Project Manager v/s Program Manager
simplyzaki
0
310
Distributed Messaging with ZeroMQ
simplyzaki
1
330
Designing Big Data Solutions Using AWS
simplyzaki
1
510
Other Decks in Programming
See All in Programming
Performance Engineering for Everyone
elenatanasoiu
0
230
なぜ型を書くのか? TSKaigi2026で改めて考える #tskaigi_smarthr
kajitack
0
160
ふつうのFeature Flag実践入門
irof
8
4.2k
Observability in Practice:Grafana 與 Edge Device SRE 的那些事
blueswen
0
180
Webフレームワークの ベンチマークについて
yusukebe
0
180
キャリア迷子上等 ─ "ない道"は自分で作ればいい
16bitidol
3
2.3k
正しくソフトウェアを作る、前提を疑うための認知の視点 / doubt-premise
minodriven
21
7k
Agentic UI
manfredsteyer
PRO
0
200
過去最大のMCPアップデート! 2026-07-28 RC版の謎に迫る
licux
6
400
フロントエンドとバックエンドで「1文字」を揃えよう
youkidearitai
PRO
0
750
どこまでゆるくて許されるのか
tk3fftk
0
220
PHPで使える日時の表現と、その知り方 #frontend_phpcon_do
o0h
PRO
0
260
Featured
See All Featured
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
helenjbeal
1
220
Being A Developer After 40
akosma
91
590k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.8k
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
reverentgeek
1
480
Leading Effective Engineering Teams in the AI Era
addyosmani
9
2.1k
Color Theory Basics | Prateek | Gurzu
gurzu
0
370
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
508
140k
Ruling the World: When Life Gets Gamed
codingconduct
0
260
Intergalactic Javascript Robots from Outer Space
tanoku
273
27k
Visualization
eitanlees
152
17k
From π to Pie charts
rasagy
0
220
Tips & Tricks on How to Get Your First Job In Tech
honzajavorek
1
540
Transcript
Securing Single Page Applications By Zakiullah Khan Mohammed @khan_io
Disclaimer I’m not a Security Expert.
#ngHYD Twitter Hash Tag
About Me Technical Manager @ Fission Labs http://www.khanio.com
Agenda AppSec - OWASP - JWT
Single Page Applications (SPAs) Currently trending ...
None
None
Application Security Who knows it all in your team ?
OWASP Open Web Application Security Project
OWASP Online community dedicated to web application security
OWASP Identify Vulnerabilities Recommend Solutions Document Best Practices
OWASP 2013 Top 10 http://j.mp/OWASP-2013-Top10
OWASP 2013 Top 10 A1 - Injection A2 - Broken
Authentication & Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitivity Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 - Unvalidated Redirects & Forwards
OWASP 2013 Top 10 A1 - Injection A2 - Broken
Authentication & Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitivity Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 - Unvalidated Redirects & Forwards
A2 Broken Authentication and Session management Credentials - Session -
Browser Caching - Trust
Defence Encrypt session data ( SSL + HMAC + Salt)
Timeout idle sessions No plaintext anywhere Authenticate for sensitive data
Cookie vs Token Does it matter ?
None
None
None
A3 Cross-Site Scripting (XSS) Malicious content delivered to user using
Javascript
None
Defence Always validate user input Escape out URLs, JS data
and Error pages Rely on program data, not user data
Content Security Policy Whitelisting sources within browser
Content Security Policy Content-Security-Policy: script-src ‘self’ https://api.example.com
Content Security Policy connect-src - font-src - frame-src - img-src
- media-src - object-src style-src
ngCSP Content Security Policy within AngularJS
A8 Cross-Site Request Forgery (XSRF) Tricks user in submitting data
to evil endpoint
None
Defence Map HTTP methods rightly Forms authentication token Never rely
on session
$http XSRF protection within AngularJS using X-XSRF-TOKEN
How to fix all three ? Let’s talk about JWT
JSON Web Token (JWT) Pronounced as JOT
JSON Web Token (JWT) Compact URL-safe means of representing claims
to be transferred between two parties. The claims in JWT are encoded as JSON object that is digitally signed using JWS.
JSON Web Token (JWT) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImFkbWl uIjp0cnVlfQ.eoaDVGTClRdfxUZXiPs3f8FmJDkDE_VCQFXqKxpLsts
JSON Web Token (JWT) <base64-encoded header>.<base64-encoded claims>.<base64-encoded signature>
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 { "alg": "HS256", "typ": "JWT" }
eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImFkbWl uIjp0cnVlfQ {"sub": 1234567890, "name": "John Doe", "admin": true}
eoaDVGTClRdfxUZXiPs3f8FmJDkDE_VCQFXqKxpLsts HMACSHA256(base64UrlEncode(header)+"."+base64UrlEncode(claims), secret_key)
JSON Web Token (JWT) NO CSRF - NO XSS
angular-jwt https://github.com/auth0/angular-jwt
Thank You Q&A