Securing Single Page Applications - Design Considerations and Pitfalls

Explore the security implications of Single Page Applications (SPAs) in this 30-minute AppSecUSA 2018 conference talk. Delve into the potential vulnerabilities introduced by the SPA paradigm, particularly in light of the increasing popularity of frameworks like Angular and React. Learn about common security pitfalls affecting SPAs and discover effective mitigation strategies. Gain insights from Microsoft Security Engineers Rafael Dreher and Murali Vadakke Puthanveetil as they discuss topics such as stateful vs stateless applications, JSON handling, cache control, local storage, and resource sharing. Watch a live demo of cross-site scripting and understand the importance of Content Security Policy (CSP). Take away key lessons on securing SPAs, including the proper use of HTTP-only flags and techniques to prevent data theft.

Introduction
Why SPX
Stateful vs Stateless
JSON
Cache Control
Local Storage
Resource Sharing
Demo
Crosssite scripting demo
CSP
Key takeaways
HTTP only flag
How to steal data