Web Security Training
Navigating the web security landscape
Navigating the web security landscape
I hope you enjoyed the training on authentication in Angular applications. This page offers you further reading material, and links to useful resources. If you want to stay up to date in the future, I highly recommend to follow me on Twitter, or subscribe to our mailing list.
A couple of videos talking about security in general.
A very good keynote speech from Mike West (Google) about Hardening the Web Platform
An interview with Maarten Decat (Elimity) on authorization in web applications
An interview with Mathy Vanhoef (KU Leuven), the researcher behind the KRACK attacks, on the insecurity of wireless networks
An interview with Matias Madou (Secure Code Warrior) on mitigating common vulnerabilities
Below are a couple of resources digging deeper into the topics that we covered during the workshop.
An overview of the biggest data breaches over time
A blog post about the advantages of the YubiKey
The FIDO U2F security reference, which clearly gives an overview of the threats U2F counters.
Practical advice on addressing the top challenges with implementing U2F-based multi-factor auhtentication.
A description of Facebook's delegated recovery mechanism
An example of a brute-force attack in practice, worth $5000 in bug bounties
A detailed account of how Dropbox goes out of their way to store your passwords securely.
A guide from the Belgian government about choosing safe passwords.
Documentation of the $http provider (1.x) and the HttpClient (2+) which has a separate section on security considerations
An article covering Angular's CSRF protection in more detail
The SameSite cookie flag explained in more detail
An account from an IE engineer who came up with cookie prefixes, which are ironically supported by most browsers except IE
A well-documented guided tour of CORS
The video covering various CORS misconfigurations and their potential consequences
The original blog post with the list of JWT Best Practices we covered
The angular-jwt library, which offers out-of-the-box support for whitelisting domains
An article covering the motivation of using the key ID (kid) with JWT tokens