Intro

Question 1

Security is not like, “do this one thing and you are safe”. It’s more like…

Answer 1

There’s x layers of protection, we probably can’t do all of them, but we can do the ones most important for our app.

Question 2

Three simple but most important things you can do to protect yourself…

Answer 2

Layering a content security policy, sanitization, and certain attributes on a cookie can give you pretty robust coverage

Question 3

Most of the time when an app was attacked, it wasn’t wide open…

Answer 3

it was a tiny edge case that an attacker wedged themselves into and pried the app open.

Question 4

Tempting to say you’re a FE engineer, it’s just text files on the internet, but…

Answer 4

You are the front line of defense for the user. Your work could be the doorway into the back end seasons.

Question 5

We assume that users are who they say they are….

Answer 5

If they have an auth token or a cookie we believe them. If they get that user session, they can be that user. And if they get your admin session.

Question 6

Frameworks don’t handle security for you.

Answer 6

Even if you use React you’re not safe. You can still fuck yourself with the business logic.

Question 7

The three trade offs of security are…

Answer 7

security, user experience, and the complexity of the infrastructure.