Sensible defaults for client-side security (room 1)

Jen Zajac

Lead frontend dev at Catalyst

Sensible defaults for client-side security (room 1)

02:30 PM 9 September, 2017

There’s a lot to think about for the modern client-side when starting a new project, from framework or libraries you are using, to what dependency management and build packaging you will use.

This talk will cover security decisions and secure default you should establish early in the project. Baking considerations about security into your project early can save painful rework later. Our goal should be to make pentesters (and other more nefarious actors) work hard to find problems in our applications!

We’ll cover a range of basic decisions such as:

  • Content security policy: should you implement one? If so, what settings should you configure and how?
  • Session token storage: cookies or JWT? How can you use either of these technologies safely?
  • Avoiding XSS on the client side: what can we do to ensure we aren’t exposing our users to malicious content?
  • Dependency management: how do you manage your project dependencies? Ensuring you don’t get compromised by security problems in upstream libraries.