#security

Subscribe
Security is the practice of protecting data, networks, programs and other information from unauthorized or unintended access, destruction or change. It involves a set of measures designed to ensure the confidentiality, integrity and availability of data and systems. In the context of JavaScript, security refers to techniques used to protect code, such as authentication, encryption, and access control. It also includes measures that prevent malicious code from executing, such as input validation, content security policies, and secure coding practices.
JSNation 2023JSNation 2023
30 min
The State of Passwordless Auth on the Web
Can we get rid of passwords yet? They make for a poor user experience and users are notoriously bad with them. The advent of WebAuthn has brought a passwordless world closer, but where do we really stand?
In this talk we'll explore the current user experience of WebAuthn and the requirements a user has to fulfill for them to authenticate without a password. We'll also explore the fallbacks and safeguards we can use to make the password experience better and more secure. By the end of the session you'll have a vision for how authentication could look in the future and a blueprint for how to build the best auth experience today.
Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Top Content
Do you know what’s really going on in your node_modules folder? Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022 and beyond. We’ll dive into examples of recent supply chain attacks and what concrete steps you can take to protect your team from this emerging threat.
You can check the slides for Feross' talk here.
React Day Berlin 2023React Day Berlin 2023
9 min
How to Improve Your Web Application's Security Using Mozilla Observatory
In today's digital landscape, web application security is of paramount importance to protect sensitive user data and maintain user trust. The Mozilla Observatory is a powerful tool that can help developers assess the security posture of their web applications. In this talk we'll learn how to improve the security of web applications using the Mozilla Observatory. 
React Day Berlin 2023React Day Berlin 2023
7 min
Escape Security Flaws
An elevator pitch for security - yay! I know, security is often frustrating or even annoying. But we all work in tech and at some point, security always becomes a topic. Let's discover a real-world security flaw and what we can learn from it to prevent such incidents. It's gonna be fun, I promise. 
React Summit US 2023React Summit US 2023
9 min
Content Security Policy with Next.js: Leveling Up your Website's Security
In this talk, we'll explore the powerful security feature of Content Security Policy (CSP) and how it can be implemented in Next.js to bolster your website's defenses against common web attacks like Cross-Site Scripting (XSS) and data injection. We'll cover the basics of CSP, its benefits, and best practices for implementing it in Next.js. 
Additionally, we'll share some tools to evaluate and test your policy. By the end of this talk, you'll have a solid understanding of how to level up your website's security with CSP and protect your users from the ever-present threats of the modern web.
React Advanced Conference 2023React Advanced Conference 2023
6 min
Shield Your Next.js App With a Content Security Policy
Learn why you should care about Content Security Policy (CSP) and how to implement it in a Next.JS application to level up your security layer. Understand CSP basics, directives, and their role in thwarting web attacks. Moving on to Next.js, the session will delve into implementation details, covering the "nounce" hashes for inline scripts using middlewares and common strategy pitfalls. By the end of the session, participants will be equipped with the knowledge and skills to implement and evaluate a robust CSP policy in Next.js, leveraging its latest features from version 13, effectively safeguarding their web applications against online attacks.
React Advanced Conference 2023React Advanced Conference 2023
20 min
I Run Code From the Internet!
Is it wise to run code from strangers? Well, we do it all the time and there's no backing out of it. Let's take a look at how a JavaScript project could get hacked and then defend itself from supply chain attacks. 
Limit access to globals for each package? Sure. Control if a package can access network or file system? Yup, that too. And no more install scripts or prototype pollution.
React Summit 2023React Summit 2023
11 min
Secrets in Source Code - How Your JS Code is Exposing Your Credentials
Secrets like API keys are constantly leaking through source code. The 2021 State of Secret Sprawl report found over 6 million secrets in public git repos. This presentation reviews the new, unreleased, 2022 State of Secrets Sprawl report focusing on how JavaScript source code specifically leak secrets.
React Summit 2023React Summit 2023
8 min
Zod === Typescript, but at Runtime in Your React Applications
In this talk, I want to show how we can use Zod to guarantee the type in a React Application at runtime. Environment variables, HTTP requests, forms and so on could create troubles in our applications, mainly if they contain unexpected types. Using Zod, we can create schemas to guarantee the types expected in our editor at runtime. In this way, we can react quickly when an environment variable misses or when someone changes the API contract without informing us.
A small validation layer in our applications can prevent a bad user experience and notify us immediately, so we can fix the problem as soon as possible and mitigate the visualization of wrong data.
JSNation 2023JSNation 2023
22 min
5 Ways You Could Have Hacked Node.js
All languages are or were vulnerable to some kind of threat. I’m part of the Node.js Security team and during the year 2022, we've performed many Security Releases and some of them were really hard to think about.
Did you know you can make money by finding critical vulnerabilities in Node.js? In this talk, I’ll show you 5 ways you can have hacked Node.js and how the Node.js team deals with vulnerabilities.
Node Congress 2023Node Congress 2023
21 min
Securing Your Software Supply Chain
The software supply chain is under constant attack and threat actors are finding new ways to exploit and profit off the cracks in its foundations. Of course, the JavaScript ecosystem is at the heart of this problem as it has grown accustomed to relying on small, interdependent modules made available through the largest software registry in the world (npm). Learn more about the current and future state of the ecosystem as well as dive into new tooling and resources you'll need to protect yourself and your projects this year and beyond.
Node Congress 2023Node Congress 2023
8 min
Supply Chain Security Experience
Developers are flooded with tools and worries provided by security vendors. From researchers finding theoretical attacks, to time spent dealing with package updates, to simple accidents causing downtime all of these exist. Taking some history into account to understand the basic categories of attacks and how practical they are to exploit or even how common they are will give some assurance and guidance on where a developer can focus their limited energy and get the most out of their efforts.
Node Congress 2023Node Congress 2023
8 min
Eval all the strings! - Hardened JavaScript
This talk is about SecureEcmaScript and Compartments which are TC39 proposals, and I'm working on tooling to make these concepts usable with people championing those proposals.
This is a first-hand account of the future of JavaScript security.
SES + tooling (LavaMoat or Endo) is making limiting access to network, fs, core modules or globals possible on a per-package basis.
I want to show how they work, what possibilities they open and how to make that future happen today with some effort.
To me this is the final step in securing npm supply chain - even if a package gets taken over by bad actors, it won't be able to hurt me.
Node Congress 2023Node Congress 2023
29 min
The tale of avoiding a time-based DDOS attack in Node.js
Web applications are commonly vulnerable to several Distributed Denial of Service attacks, sometimes in unexpected ways. An example is the SlowLoris attack, an exploit that leads to service interruption by simply sending the data to the server as slowest as possible.  In this talk I will tell the tale of how it took almost 13 years for Node to be completely protected by SlowLoris attack. I will also show that sometimes prioritizing performance can lead to incorrect fixes that can result in a false sense of protection.
React Summit 2022React Summit 2022
9 min
Automated Application Security Testing
Traditional security testing for JS apps has focused on the front-end, but actual security issues most often lie in the backing REST API. Join StackHawk co-founder Scott Gerlach for a quick overview of why you need to rethink how you test your JS apps and how StackHawk can help you find and fix security bugs fast.
JSNation 2022JSNation 2022
9 min
Automated Application Security Testing
Traditional security testing for JS apps has focused on the front-end, but actual security issues most often lie in the backing REST API. Join StackHawk co-founder Scott Gerlach for a quick overview of why you need to rethink how you test your JS apps and how StackHawk can help you find and fix security bugs fast.
React Summit 2022React Summit 2022
7 min
Avoiding CSRF with Remix
Remix 'Data Writes' go back to the basics of the web when it comes to form submissions. But therein lies a trap if you're not careful - Cross site request forgery (CSRF) can rear its head. In this session we'll explore what CSRF is. How it can be exploited and what you can do to make sure your Remix application isn't vulnerable.
GraphQL Galaxy 2021GraphQL Galaxy 2021
9 min
How to Make GraphQL Security Easier with StackHawk
With StackHawk, engineering teams can run security tests against GraphQL APIs to find and fix vulnerabilities before they hit production. With automated testing on every PR, you can be confident that your app is secure. Join StackHawk co-founder and Chief Security Officer Scott Gerlach for a quick overview of GraphQL security testing with StackHawk.
React Advanced Conference 2021React Advanced Conference 2021
22 min
Let Me Show You How React Applications Get Hacked in the Real-World
Top Content
Modern frontend frameworks like React are well thought-of in their application security design and that’s great. However, there is still plenty of room for developers to make mistakes and use insecure APIs, vulnerable components, or generally do the wrong thing that turns user input into a Cross-site Scripting vulnerability (XSS). Let me show you how React applications get hacked in the real-world.
Vue.js London Live 2021Vue.js London Live 2021
7 min
How Developers Can Use Automated App Security Testing To Protect Vue Apps
Frontend frameworks like Vue are vulnerable to unsanitized inputs to execute malicious code. The patterns that allow for this are generally understood, but there are still some cases when your apps might still be at risk. Learn how you can implement automated application security to keep your apps safe.
React Finland 2021React Finland 2021
42 min
You thought your React application is secure? Think again
Modern frontend frameworks like React are well thought-of in their application security design and that’s great. However, there is still plenty of room for developers to make mistakes and use insecure APIs, vulnerable components, or generally do the wrong thing that turns user input into a Cross-site Scripting vulnerability (XSS). Let me show you how React applications get hacked in the real-world.
Node Congress 2021Node Congress 2021
29 min
The Security Toolbox For Node
Do you have a way to quickly check all of your repos for any vulnerabilities to various attacks? Do you know which attacks you should be preparing your applications for? In this talk, we will cover the top 10 attacks on Node applications and how to handle all of them. Multiple tools will be covered, all of which have been used in production across different back-end architectures.A few of the areas that will be covered include securing dependencies, securing data, and securing your server. By the end of this talk, attendees should have a full security toolbox and they will know how to implement it quickly. This will help with production applications because you will still get through your sprints on time and you will be able to rest knowing you have security measures in place.
JSNation Live 2021JSNation Live 2021
9 min
Securing Node.js APIs with Decentralised Identity Tokens
Authentication and Authorization are serious problems. We often dedicate a lot of time to craft powerful APIs but overlook proper security measures. Let's solve it with Magic using a key-based identity solution built on top of DID standard, where users’ identities are self-sovereign leveraging blockchain public-private key pairs. In this talk, we’ll look at proper ways to secure our Node.js APIs with Decentralised Identity Tokens. We’ll go from learning what Decentralised Identity standards are, how the users’ identities are self-sovereign leveraging blockchain public-private key pairs, why they’re the future of API security, and to put theory into practice we will build a real-world implementation using Node.js where I’ll show common best practices.
JSNation Live 2021JSNation Live 2021
8 min
Automated Security Testing for JS Apps & Underlying APIs
With StackHawk, engineering teams can run security tests against JS applications and the backing APIs to find and fix vulnerabilities fasters. With automated testing on every PR, you can be confident that your app is secure. Join StackHawk co-founder Scott Gerlach for a quick overview of JS application security testing with StackHawk.