Go to content

Getting Single Page Application Security Right by Philippe De Ryck

Single page web applications (SPA) with a RESTful backend have profoundly changed the way web applications are developed, as more functionality is pushed towards the browser, both on traditional platforms and on mobile platforms. The underlying security mechanisms and policies, however, have not changed, and building secure applications still requires significant knowledge and effort from the developer. In this session, we will investigate the impact of this paradigm shift on the architecture of web applications and their security model. We zoom into concrete vulnerabilities and their countermeasures. Concretely, we will look into the following topics: Cross-site scripting (XSS) in SPA, and how to counter it; The combination of the rising Content Security Policy (CSP) and SPAs; Session management with a RESTful API, and the consequences of the different options; The relevance of cross-site request forgery (CSRF) attacks in combination with a RESTful API, and how to defend against them. The content in this session is relevant for every SPA framework, but practical examples will be mainly in AngularJS.

November 9, 2015