https://github.com/danieldanielecki/javascript-security-engineering

JavaScript Security Engineering (Helicopter View) workshop, crafted for 3 hours with a bunch of demos
https://github.com/danieldanielecki/javascript-security-engineering

angular compiler cross-origin-resource-sharing cross-site-scripting firebase-security helmet helmetjs javascript javascript-security react reactjs security serverless-security svelte svelte3 sveltejs typescript vue vuejs web-security

Last synced: 5 months ago
JSON representation

JavaScript Security Engineering (Helicopter View) workshop, crafted for 3 hours with a bunch of demos

• Host: GitHub
• URL: https://github.com/danieldanielecki/javascript-security-engineering
• Owner: danieldanielecki
• Created: 2021-06-17T07:26:47.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2021-09-02T07:06:49.000Z (about 4 years ago)
• Last Synced: 2025-05-07T11:15:27.877Z (5 months ago)
• Topics: angular, compiler, cross-origin-resource-sharing, cross-site-scripting, firebase-security, helmet, helmetjs, javascript, javascript-security, react, reactjs, security, serverless-security, svelte, svelte3, sveltejs, typescript, vue, vuejs, web-security
• Language: TypeScript
• Homepage:
• Size: 19 MB
• Stars: 4
• Watchers: 1
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# JavaScript Security Engineering

This repository is for mine JavaScript Security Engineering 2.5 hours workshop with demos around

## Feedback

Lots of information, JWT part has 1 slide to improve regarding what "RS" (apparently that's hashing algorithm, not signature algorithm) and "256" (it's just length) means exactly according to definitions.

Also in JWT, PKC is so expensive in computation that's why asymmetric and symmetric crypto is combined, so it's not like symmetric crypto is not being used.

Crypto topic could've been covered more in depth, but it would give even longer talk. Generally speaking, each of those topic can be a separated conference talk.

From Web Security point of view, only SQL Injection was missing, but it wasn't too much related to JavaScript that's why it was skipped.

Don't know why `csrfCookie && csrfHeader && csrfCookie === csrfHeader` is set like this in CSRF example, not just `srfCookie === csrfHeader`. In addition to that, it'd pass if both would be undefined, then we'd have `undefined === undefined`.

As written, in CSP subfolder, something different than blocking a POST request could've been shown to differentiate better between CORS and CSP. Maybe `unsafe-inline` might be an interesting case