Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Securing Single Page Applications
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Zakiullah Khan
December 07, 2014
Programming
2
380
Securing Single Page Applications
Slide deck used for recent presentation at Hydeabad's AngularJS User Group meetup.
Zakiullah Khan
December 07, 2014
Tweet
Share
More Decks by Zakiullah Khan
See All by Zakiullah Khan
Project Manager v/s Program Manager
simplyzaki
0
300
Distributed Messaging with ZeroMQ
simplyzaki
1
320
Designing Big Data Solutions Using AWS
simplyzaki
1
500
Other Decks in Programming
See All in Programming
CSC307 Lecture 09
javiergs
PRO
1
840
AIによる高速開発をどう制御するか? ガードレール設置で開発速度と品質を両立させたチームの事例
tonkotsuboy_com
7
2.3k
Rust 製のコードエディタ “Zed” を使ってみた
nearme_tech
PRO
0
180
ノイジーネイバー問題を解決する 公平なキューイング
occhi
0
100
AIエージェントのキホンから学ぶ「エージェンティックコーディング」実践入門
masahiro_nishimi
5
460
AWS re:Invent 2025参加 直前 Seattle-Tacoma Airport(SEA)におけるハードウェア紛失インシデントLT
tetutetu214
2
110
Implementation Patterns
denyspoltorak
0
290
AIエージェント、”どう作るか”で差は出るか? / AI Agents: Does the "How" Make a Difference?
rkaga
4
2k
副作用をどこに置くか問題:オブジェクト指向で整理する設計判断ツリー
koxya
1
610
AI時代のキャリアプラン「技術の引力」からの脱出と「問い」へのいざない / tech-gravity
minodriven
21
7.2k
高速開発のためのコード整理術
sutetotanuki
1
400
CSC307 Lecture 01
javiergs
PRO
0
690
Featured
See All Featured
DevOps and Value Stream Thinking: Enabling flow, efficiency and business value
helenjbeal
1
94
ラッコキーワード サービス紹介資料
rakko
1
2.3M
Marketing to machines
jonoalderson
1
4.6k
Ruling the World: When Life Gets Gamed
codingconduct
0
140
How Software Deployment tools have changed in the past 20 years
geshan
0
32k
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
reverentgeek
1
340
How to Get Subject Matter Experts Bought In and Actively Contributing to SEO & PR Initiatives.
livdayseo
0
66
Claude Code どこまでも/ Claude Code Everywhere
nwiizo
61
52k
Digital Ethics as a Driver of Design Innovation
axbom
PRO
1
180
Mobile First: as difficult as doing things right
swwweet
225
10k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
akashhashmi
0
270
From π to Pie charts
rasagy
0
120
Transcript
Securing Single Page Applications By Zakiullah Khan Mohammed @khan_io
Disclaimer I’m not a Security Expert.
#ngHYD Twitter Hash Tag
About Me Technical Manager @ Fission Labs http://www.khanio.com
Agenda AppSec - OWASP - JWT
Single Page Applications (SPAs) Currently trending ...
None
None
Application Security Who knows it all in your team ?
OWASP Open Web Application Security Project
OWASP Online community dedicated to web application security
OWASP Identify Vulnerabilities Recommend Solutions Document Best Practices
OWASP 2013 Top 10 http://j.mp/OWASP-2013-Top10
OWASP 2013 Top 10 A1 - Injection A2 - Broken
Authentication & Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitivity Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 - Unvalidated Redirects & Forwards
OWASP 2013 Top 10 A1 - Injection A2 - Broken
Authentication & Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitivity Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 - Unvalidated Redirects & Forwards
A2 Broken Authentication and Session management Credentials - Session -
Browser Caching - Trust
Defence Encrypt session data ( SSL + HMAC + Salt)
Timeout idle sessions No plaintext anywhere Authenticate for sensitive data
Cookie vs Token Does it matter ?
None
None
None
A3 Cross-Site Scripting (XSS) Malicious content delivered to user using
Javascript
None
Defence Always validate user input Escape out URLs, JS data
and Error pages Rely on program data, not user data
Content Security Policy Whitelisting sources within browser
Content Security Policy Content-Security-Policy: script-src ‘self’ https://api.example.com
Content Security Policy connect-src - font-src - frame-src - img-src
- media-src - object-src style-src
ngCSP Content Security Policy within AngularJS
A8 Cross-Site Request Forgery (XSRF) Tricks user in submitting data
to evil endpoint
None
Defence Map HTTP methods rightly Forms authentication token Never rely
on session
$http XSRF protection within AngularJS using X-XSRF-TOKEN
How to fix all three ? Let’s talk about JWT
JSON Web Token (JWT) Pronounced as JOT
JSON Web Token (JWT) Compact URL-safe means of representing claims
to be transferred between two parties. The claims in JWT are encoded as JSON object that is digitally signed using JWS.
JSON Web Token (JWT) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImFkbWl uIjp0cnVlfQ.eoaDVGTClRdfxUZXiPs3f8FmJDkDE_VCQFXqKxpLsts
JSON Web Token (JWT) <base64-encoded header>.<base64-encoded claims>.<base64-encoded signature>
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 { "alg": "HS256", "typ": "JWT" }
eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImFkbWl uIjp0cnVlfQ {"sub": 1234567890, "name": "John Doe", "admin": true}
eoaDVGTClRdfxUZXiPs3f8FmJDkDE_VCQFXqKxpLsts HMACSHA256(base64UrlEncode(header)+"."+base64UrlEncode(claims), secret_key)
JSON Web Token (JWT) NO CSRF - NO XSS
angular-jwt https://github.com/auth0/angular-jwt
Thank You Q&A
SiteGround - Reliable hosting with speed, security, and support you can count on.
simplyzaki
javiergs
tonkotsuboy_com
nearme_tech
occhi
masahiro_nishimi
tetutetu214
denyspoltorak
rkaga
koxya
minodriven
sutetotanuki
.png){kind=avatar}
helenjbeal
rakko
jonoalderson
codingconduct
geshan
reverentgeek
livdayseo
nwiizo
axbom
swwweet
akashhashmi
rasagy
