An excellent write-up of the cryptographic errors that have been uncovered in the Adobe breach

A blog post about the advantages of the YubiKey

The FIDO U2F security reference, which clearly gives an overview of the threats U2F counters.

The SameSite cookie flag explained in more detail

An account from an IE engineer who came up with cookie prefixes, which are ironically supported by most browsers except IE

An informative blog post with a list of JWT Best Practices

An overview of the biggest data breaches over time

A detailed account of how Dropbox goes out of their way to store your passwords securely.

Practical advice on addressing the top challenges with implementing U2F-based multi-factor auhtentication.

A description of Facebook's delegated recovery mechanism

Using authentication tokens in a Single Page Application

A very clear overview of XSS attacks and defenses, ideal to sharpen your understanding of XSS

A detailed blog post on template injection in AngularJS applications using the orderBy filter

The blog post series on deploying CSP at Dropbox

GitHub's well-documented CSP journey

Strict-dynamic, presented by Google engineers at AppSec 2016

OWASP's XSS Filter Evasion Cheat Sheet

The CSP Playground, which includes a policy validator for CSP

Google's CSP Evaluator tool to check the security of your CSP policy.

The write-up of the decision and impact of removing the AngularJS Expression Sandbox