Overview
Discover how to enhance the security of your AngularJS applications in this comprehensive one-hour conference talk by Philippe De Ryck at Devoxx. Learn about AngularJS' built-in security features, including Strict Contextual Escaping (SCE) for protection against cross-site scripting (XSS) attacks, and how to safely relax these protections when necessary. Explore the advanced Content Security Policy (CSP) and AngularJS' cross-site request forgery (CSRF) protection mechanism. Gain insights into mixing AngularJS with traditional applications, writing effective CSP policies, and implementing secure session management. While focusing primarily on AngularJS 1.x, the talk also relates concepts to AngularJS 2 where relevant. Benefit from the expertise of Philippe De Ryck, a professional speaker and trainer on software and web security, as he shares knowledge gained from his PhD research and experience running the Web Security Training program at imec-DistriNet research group (KU Leuven, Belgium).
Syllabus
Intro
KNOWLEDGE IS KEY TO BUILDING SECURE APPLICATIONS
CROSS-SITE SCRIPTING (XSS)
HOW DO YOU PROTECT AGAINST XSS?
MIXING ANGULARJS WITH TRADMONAL APPLICATIONS
THE NUTS AND BOLTS OF CSP
A QUICK OVERVIEW OF CSP'S DIRECTIVES
BROWSER SUPPORT FOR CSP LEVEL 1 IS AWESOME
FOLLOWING UP ON CSP VIOLATIONS
WRITING SANE CSP POLICIES
SECURE SESSION MANAGEMENT IS CRITICAL
THE UNDERESTIMATED THREAT OF CSRF
TRANSPARENT CSRF TOKENS WORK WITHOUT FORMS
Taught by
Devoxx