Andrey Polischuk

Protect the frontend

Modern web application uses a lot of resources: own scripts, styles, requests, url queries, external analytics, fonts and other stuff receiving from cdns. And each of them may be malicious under certain conditions.

Application runs in an unpredictable browser environment with possibly malware extensions. And all documents, scripts, requests transmit over potentially unsecured networks.

Every day we improve ui, accessibility, perfomance. But what about security? As frontend engineers we should always think about all aspects of development including security of users using our products.

Possible attacks

Web applications have some vulnerabilities which enable the following attacks:

XSS (Cross-site Scripting)

Each of them can result in opening and executing a malicious resource in application. Users may lose them data or access to account. Or may be taken away to external site.

Clickjacking

In these ways users may lose credentials when type their in hidden inputs placed over real application or when try to authorize on proxied page.

Defense

So we explored possible categories of attacks. And now we should find ways to protect users from losing their sensitive data such as credentials or session ids.

There are several techniques to protect apps against attacks:

Summary

That’s all. I hope my little review of attacks and defend methods helps you to protect applications you creating. Also you can get more information by following the links referred in the article.