With new tools like Angularjs and Nodejs, it is easier than ever to build User Interfaces for the systems that you manage. But how to do it securely? Web browsers are woefully insecure, and hand-rolled APIs are risky. JSON Web Tokens (JWTs) are being prescribed as a panacea for webapp security, but you need to know your security basics before you can implement them with peace of mind. JWTs are a great mechanism for persisting authentication information in a verifiable and stateless way, but that token still needs to be stored somewhere.In this talk, Robert Damphousse, lead front-end developer at Stormpath, will explain the security loopholes in web browsers, and what you can do about them – keeping your JWTs safe and secure. Topics covered include: Web browser security issues like XSS, user credential security, managing access control information, Man in the Middle attacks (MitM), and Cross-Site Request Forgery (CSRF). How you can mitigate potential security risks. Security issues and implementation tips across the entire stack. What you need to know about cookies. Infrastructure issues with session identifiers. How to issue JSON Web Tokens (JWTs) to secure the browser application.Robert will demonstrate these points with a simple single-page-application, built with Angular.js, and backed by a REST API. |