Monday 

Room 8 

09:00 - 17:00 

(UTC+02

2 Days

A builder’s guide to Single Page Application security

Frontend JavaScript frameworks such as Angular and React disrupt the traditional web security landscape, and finding reliable security advice is hard. This workshop provides Angular and React developers with the answers to all their security questions.

Security

In this workshop, you discover best practices for building secure frontend applications. We investigate how to use and configure security mechanisms available in modern browsers. We explore what security measures are built into Angular and React, along with common mistakes that circumvent these protections. Additionally, we discuss scenarios that address frequent questions, including secure data storage in the browser and the use of OAuth 2.0 and OpenID Connect.


This course offers practical and immediately applicable security advice for architects and developers. Throughout the course, Philippe is available to answer any questions, including concrete scenarios applying to your own applications.
Concretely, we will cover the following topics:

  • The security model of the web
  • Configuring modern security headers
  • XSS in modern frontend applications
  • CSP as a defense against XSS
  • CSP deployment strategies for SPAs
  • Countering advanced XSS with Trusted Types
  • Using OAuth 2.0 and OpenID Connect in SPAs
  • Securing OAuth 2.0 tokens in JS frontends


This workshop consists of a mixture of lectures, demos, interactive quizzes, and hands-on labs. The lectures provide in-depth knowledge of attacks and defenses. The hands-on labs are conducted in a custom-built competitive training environment, allowing participants to gain hands-on experience with offensive and defensive technologies.

Who should attend?

This security training specifically targets modern web developers. Anyone involved in building single-page applications (e.g., Angular, React) or managing development teams should be here. This training course is not just any training course. It is packed with in-depth and up-to-date content. We do not merely brush over a threat and defense but focus on the underlying cause and consequences. Why do we have this problem? Which mitigations are often used? Why are some ineffective? Which one is the current best practice? These are the questions that will be answered throughout the training.


Prerequisites

To participate in this training, you should have development experience with single-page applications and the underlying APIs. Familiarity with the basics of security (e.g., simple XSS attacks) is helpful, but not required. The training will talk about Angular and React specifically, but also applies to other frameworks, such as EmberJS or Vue.js.

Computer Setup

To participate in the lab sessions, participants need an internet-accessible laptop with a modern browser installed (E.g., Chrome, Firefox).

Philippe De Ryck

Philippe De Ryck specializes in making web security accessible to developers and architects, leveraging his Ph.D. from KU Leuven to inform his comprehensive understanding of security challenges. As the founder of Pragmatic Web Security, he provides practical security training and consulting services to organizations worldwide.

His online course platform offers a self-paced approach to learning about security. Philippe also actively helps shape OAuth 2.0 best practices as the co-author of the best practices for browser-based apps specification.

Philippe is recognized as a Google Developer Expert, acknowledging his contributions to web application and API security. He also organizes SecAppDev, an annual week-long application security course in Belgium.