Room 8 

09:00 - 17:00 


2 Days

A builder’s guide to Single Page Application security

Frontend JavaScript frameworks such as Angular and React disrupt the traditional web security landscape, and finding reliable security advice is hard. This workshop provides Angular and React developers with the answers to all their security questions.


In this workshop, you discover best practices for building secure frontend applications. We investigate how to use and configure security mechanisms available in modern browsers. We explore what security measures are built into Angular and React, along with common mistakes that circumvent these protections. Additionally, we discuss scenarios that address frequent questions, including secure data storage in the browser and the use of OAuth 2.0 and OpenID Connect.

This course offers practical and immediately applicable security advice for architects and developers. Throughout the course, Philippe is available to answer any questions, including concrete scenarios applying to your own applications.
Concretely, we will cover the following topics:

  • The security model of the web
  • Configuring modern security headers
  • XSS in modern frontend applications
  • CSP as a defense against XSS
  • CSP deployment strategies for SPAs
  • Countering advanced XSS with Trusted Types
  • Using OAuth 2.0 and OpenID Connect in SPAs
  • Securing OAuth 2.0 tokens in JS frontends

This workshop consists of a mixture of lectures, demos, interactive quizzes, and hands-on labs. The lectures provide in-depth knowledge of attacks and defenses. The hands-on labs are conducted in a custom-built competitive training environment, allowing participants to gain hands-on experience with offensive and defensive technologies.

Who should attend?

This security training specifically targets modern web developers. Anyone involved in building single-page applications (e.g., Angular, React) or managing development teams should be here. This training course is not just any training course. It is packed with in-depth and up-to-date content. We do not merely brush over a threat and defense but focus on the underlying cause and consequences. Why do we have this problem? Which mitigations are often used? Why are some ineffective? Which one is the current best practice? These are the questions that will be answered throughout the training.


To participate in this training, you should have development experience with single-page applications and the underlying APIs. Familiarity with the basics of security (e.g., simple XSS attacks) is helpful, but not required. The training will talk about Angular and React specifically, but also applies to other frameworks, such as EmberJS or Vue.js.

Computer Setup

To participate in the lab sessions, participants need an internet-accessible laptop with a modern browser installed (E.g., Chrome, Firefox).

Philippe De Ryck

Philippe De Ryck helps developers protect companies through better web security. As the founder of Pragmatic Web Security, he travels the world to train developers on web security and security engineering. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional knowledge of the security landscape. Google recognizes Philippe as a Google Developer Expert for his work on security in Angular applications.