From the Crypt to the Code: Web Security Explored Through Horror Movies

This ad is not shown to multipass and full ticket holders
JSNation US
JSNation US 2025
November 17 - 20, 2025
New York, US & Online
See JS stars in the US biggest planetarium
Learn More
In partnership with Focus Reactive
Upcoming event
JSNation US 2025
JSNation US 2025
November 17 - 20, 2025. New York, US & Online
Learn more
Bookmark
Rate this content

A cryptic videotape haunting its viewers, a shape-shifting entity haunting a research station, or an astronaut unknowingly carrying an alien onto a spaceship —do these scenarios sound familiar? These horror movie plots share similarities with scenarios in web security you have already encountered.

Join me on a chilling journey through web security as we explore the most common vulnerabilities through the lens of horror movies. From the sinister injection flaws reminiscent of "Alien" to the terrifying specter of broken authentication akin to "Unfriended". But don't worry, we'll also shed light on solutions in web development, turning these security nightmares into tales of triumph. If you dare, join us and learn how to conquer the darkness invited by your web applications.

This talk has been presented at JSNation US 2024, check out the latest edition of this JavaScript Conference.

FAQ

The talk explored the parallels between web security and horror movies, using horror movie scenarios as allegories to explain various security risks and measures.

The first horror movie discussed was 'The Invisible Man,' used as an allegory for broken access control in web security.

'The Invisible Man' was used to illustrate broken access control, where a user can act beyond their permissions, akin to the invisible man operating unseen and unauthorized.

The movie 'Hellraiser' is used as an allegory for cryptographic failures, emphasizing the importance of encrypting sensitive data to prevent unauthorized access.

The movie 'Alien' is used to explain the concept of injection attacks, highlighting the need for input validation and sanitation to prevent unauthorized code execution.

'The Blob' was mentioned as an allegory for dealing with outdated and vulnerable dependencies, emphasizing the importance of keeping software libraries up-to-date.

OWASP stands for Open Worldwide Application Security Project, a group focused on improving web security by identifying and ranking the most critical security risks.

Strategies include denying access by default, using rate limiters, invalidating session identifiers regularly, and implementing access control mechanisms like OpenFGA.

Preventive measures include encrypting all sensitive data, classifying data to identify sensitivity, not caching sensitive responses, and using strong, up-to-date protocols like TLS.

The speaker mentioned enjoying A24 movies, particularly 'Hereditary' and 'Midsommar,' as they prefer psychological horror over splatter or gore films.

Ramona Schwering
Ramona Schwering
28 min
18 Nov, 2024

Comments

Sign in or register to post your comment.
Video Summary and Transcription
The Talk explores the parallels between web security and horror movies, highlighting the real-world impact of security issues. OWASP is introduced as a helpful team that ranks security risks. Broken access control is identified as a major risk, and best practices for access control are discussed. Cryptographic failures are compared to the movie Hellraiser, emphasizing the importance of encryption. Surviving security issues involves encrypting sensitive data, input validation, and using secure protocols. Injection attacks and defense strategies are illustrated through the movie Alien. The importance of monitoring and updating dependencies is emphasized. Code testing is crucial for security. Social engineering and favorite horror movies are briefly mentioned. Testing tools and the importance of taking action are highlighted. Overall, the Talk provides valuable insights into web security through the lens of horror movies.

1. Introduction to Web Security for Horror Movies

Short description:

It's not the first time giving a talk in the Planetarium. I will have two tiny disclaimers for you: slight spoiler alert and horror movie plots can be intense.

It's not the first time, like first time being in the States, first time giving a talk in the Planetarium. How cool is that? And I'm able to share with all of you. So this is just wonderful.

But while having a wonderful tone on this talk is a little difficult because even though Halloween is over, there are some creepy things, scary things, dreads, nightmares still there, which will not go away just because Halloween is over, right? So but have no fear. We're in it together. You are here with my first time Planetarium. So you're my companions. And let me bring you on to a journey from the crypt to the code to explore web security for horror movies.

And before I start real quick, I will have two tiny disclaimers for you. The first one will be a slight spoiler alert because of course if I try to teach web security for horror movies, I might need to touch on horror movie plot. So no worries. I will not spoil the complete films for you. But I will make sure you get what I'm talking about. Though, even when horror movies are not your cup of tea. And the other one, of course, horror movie plots are sometimes not that friendly to say it like that. So I will try to be as like kind and harmless when it comes to my voting. But if I slip sometimes, please bear with me because horror movies are sometimes intense. And yeah, I might to mention some plot points. So slight content warning just so you know.

2. Parallels between Web Security and Horror Movies

Short description:

If you see movies or Halloween or basically horror movies throughout the year, did you ever hear this quote, I'll be right back? It's a bad omen. Don't do this. There are lots of parallels between web security, security issues, and horror movies. And even complete polar points of horror movies, mirroring complete incidents. They are taken from the media because these are actual security issues. They're real and they cause lots of damage. But there is a positive thing, which is they're in the real world, which will help us in horror scenarios as well, just as it helps people in horror movies. The wonderful friendly professor, a team, a nerd, a group of people, helpful and capable people helping the protagonist to survive. So there are lots of people helping us no matter if it's inside of a horror movie or in the real world.

Well, I don't know if I can see the audience that great. But maybe I can have some light because I have a question for you. If you see movies or Halloween or basically horror movies throughout the year, did you ever hear this quote, I'll be right back? And a person leaving. Yeah, I'm happy I'm not alone. I hope you're at least slightly annoyed because if I see this, I'm really annoyed because why should you split up at all? It's a bad omen. Don't do this. Don't do this in horror movies. It's so famous. It became a meme and I guess that tells you everything about this intelligent plan to split up. Right.

There are lots of people in horror movies doing weird decisions or even stupid ones. And we are like right behind our TV and saying like, ha-ha, I would do it better. But really, I really hope you will never get into a horror movie like situation. But we don't need to go that far because there are scary and important situations in our daily life as a software developer, which can become a horror movie. Right? Yes.

I do think that there are lots of parallels between web security, security issues, and horror movies. Not only people doing weird things, not listening to warnings even if they're clear and right in their face, stuff like that. So of course they are not completely the same. But there are lots of parallels we will discover later on. And even complete polar points of horror movies, mirroring complete incidents, which is really cool. Those titles here are, some might sound like movies but they are not. They are taken from the media because these are actual security issues. And they're pretty famous and pretty dangerous. For example, Heartbleed is a vulnerability in the popular open SSL. So, yeah, they're here. They're real and they cause lots of damage.

But there is a positive thing, which is they're in the real world, which will help us in horror scenarios as well, just as it helps people in horror movies. The wonderful friendly professor, a team, a nerd, a group of people, helpful and capable people helping the protagonist to survive. Like this professor I tried to draw by the movie Sinister. I don't know if I made it, but you get the point. So there are lots of people helping us no matter if it's inside of a horror movie or in the real world.

3. OWASP and 'The Invisible Man'

Short description:

The team which will help us is called OWASP. They do a ranking of the most important security risk to take care of. And I used them as a basis to craft our security survival playbook. The first horror movie is 'The Invisible Man,' which is a wonderful example for the most important risk for us: broken access control.

Okay. I guess you never tell anyone. Okay. The team which will help us is called OWASP. OWASP is the short term for Open Worldwide Application Security Project, and it's a bunch of people which have a goal to raise security inside of the web. So they are trying to nudge us to know what are the most dangerous risks on web. And they do a ranking, or I guess four years? Not bad. So the ranking of the most important security risk to take care of. And I guess the last ranking was in 2021, if I'm not mistaken. And I used them as a basis, because they are really helpful, to craft our security survival playbook. Just like other a little ironic horror movies like Scream or Zombieland are doing it, trying to give us roots to adhere if we are inside of a horror movie situation.

So okay. Not that much talk left. Let's get into the first horror movie. Okay. This is the first one. And at least the original movie is the oldest one. It's from 1933, I guess. But there was a remake in 2020. It's on the invisible man. And like the title already told you, it's about Griffin, who's a scientist doing an experiment and failing miserably and turning out to be invisible. At first he wants to hide because it's a bad condition, right? If nobody can see you. But of course, invisibility has some perks. So he quickly makes use of it. First by doing pranks, but then being tempted to do crimes or even worse, things such as murder. So not that kind to other people, right? So yeah. This is the fast plot summary, basically. And I do think this plot is a wonderful allegory, a wonderful example for the most important risk for us. This is called broken access control. And it's on the first rank, which basically showcase its importance for us, right? I guess when it comes to the data set they use to evaluate which risks are important and whatnot, they have the most occurrences in the realm of broken access control.

4. Access Control and Invisibility

Short description:

Access control means a user cannot act outside their intended permissions. This can lead to unauthorized information disclosure, unauthorized modifications, or distractions. Invisibility parallels unauthorized access, false sense of security, and leaving no traces. To survive broken access control, deny by default and use rate limiters to minimize harm.

Access control generally means that a user cannot act outside their intended permissions. And a failure obviously means that a user is well capable to do that, like an invisible man who cannot be seen and can do whatever they please. So yeah. This can lead to many things, like unauthorized information disclosure, people being able to modify things they shouldn't be able to, or even distractions. Yeah. I'm looking at you, course, or took a manipulation. This could happen.

So okay. Let's get a little deeper into the parallels. Invisibility can hint to unauthorized access. Because an attacker can operate unseen, such as Griffin can. They can go in, they will not be seen, they can wreck Harvard, read stuff, access sensible data, stuff like that. And such as Griffin did by doing crimes and stuff. It's abuse of the power of inability. Or in security terms, abuse of power beyond what should be allowed. Quite good parallel.

Another one is a false sense of security. If you can see a perpetrator, you feel safe, right? Because there's nothing. And those people which are not seen, either an invisible man or an attacker, cannot be stopped. Because guards and locks cannot stop what they cannot detect, right? Pretty bad. So poorly implemented access can lead to a false sense of security. And even worse, if you don't block it, you cannot know that there is a breach, maybe. And last but not least, an invisible attacker will leave no traces. As said, when it comes to without purple locking, nothing happens. You can exploit your data. And you have a mess.

So what can we do to survive invisible man? Or broken access control? Your default mode of operation would be denying by default. If you have, for example, a default user without any assignment, for example, they shouldn't be able to do anything, unless the user or the endpoint is a public resource. You should try to minimize harm by using rate limiters in your API and in your controllers. So if people can do more than they intended to do, it's just a small area of damage.

5. Access Control Best Practices

Short description:

If you have stateful session identifiers, invalidate them regularly. Use short-lived JWT tokens or consider OAuth. Implement and reuse access control mechanisms. Check out OpenFGA, a rule-based access control inspired by Google Sansibar, open-source and reliable.

If you have stateful session identifiers, you should invalidate them on a regular basis. As soon as possible and the faster, the better. When I think about a JWT token, you should have them short lived. And if it's not possible, you want to have more convenience for your user, try to think about using the OAuth standard. This makes the attack window a little smaller. Last but not least, you can think about implementing and reusing access control mechanisms. And there are plenty you could take a look at. This can lead to minimizing cause, without sharing on other things. A small recommendation I want to just mention here real quick is OpenFGA, which is inspired by Google Sansibar, a rule based access control, but has some RBAC and ABAC use cases as well. And it's open source, which I really like. And as far as I know, it's a cloud-native computing foundation project. So it's a reliable source you can trust.

6. Cryptographic Failures in Hellraiser

Short description:

Hellraiser is a movie from 1987 that serves as an allegory for cryptographic failures. The puzzle box in the movie represents an easily breakable encryption system. The Cenobites symbolize the consequences of failure, and the resurrection of Frank represents failed data recovery.

Okay. Are you ready for the second film? Whoo-hoo. Well, I wouldn't be so happy to see this fellow, right? I'm talking about Hellraiser. It's a movie from 1987. Sorry? Pinhead is pretty famous, I think. But the plot, and especially for security, I want to take a closer look at a certain box they have, the puzzle box, which is basically the Norman configuration.

In the movie, there's a person, I guess he's called Peter or Frank, Frank, I guess Frank was his name. He's finding this box and he's basically solving it. The thing is, if you solve the puzzle, you will open a gateway to the hell-like realm of the Cenobites. And Cenobites are not that friendly. They're not coming just for dinner or for a cup of tea or something. They want to hunt people for experience. And I guess nobody was willing to be a guinea pig, right? And there's a woman, the lover of Frank, I guess, who tries to resurrect him, who solved the puzzle and became a victim.

This movie is a wonderful allegory on cryptographic failures. So basically all the failures related to cryptography, all the lack thereof. This point before, when it comes to all the over-spreading, it was previously known as sensitive data exposure, which is the most prominent symptom. But as it's not the cause, they renamed it. The movie Peril, as already hinted at, hints to this puzzle box, to the LEMON configuration, being an encryption system which is easy or easier to break. The Cenobites are the consequences of failure. So they will come and haunt you because they have your data, for example, or were able to access it. And the resurrection of Frank, it's a failed data recovery. So even if you try to recover your measures, you can never know if everything's in order, right?

7. Surviving Security Issues and the Alien Allegory

Short description:

To survive a security issue, encrypt sensitive data, classify and discard unnecessary data, avoid caching sensitive responses, use secure protocols, and learn from the allegory of Alien and the face hugger as an example of input validation bypass and code injection.

Okay, how can we survive a hell-wager-like security issue? First thing is encrypt all sensitive data. Pretty easy, right? Use encryption algorithms and be really careful and thoroughly consistent. Try to classify the data you process, store, or transmit. Because this way you can identify which data is sensitive. You shouldn't store sensitive data unnecessarily, so discard it if it's not in use anymore. Use PCI DS as component tokenization or concrete it, and as I said, discard it as soon as you need it. You don't need it anymore.

The point which I would like to have you inside of your toolkit is that you try to not cache sensitive responses. Because if they are not cached, nobody can take them, right? And last but not least, use secure, strong, and up-to-date protocols such as TLS and try to avoid FTP or SMTP because they're a little old.

Okay. Now we're coming to my favorite allegory. I couldn't resist to take it in even though the movie is a little explicit to say it like that. I guess you already saw it at once or heard about it. It's on Alien. It's a movie, I guess. Its original one, the first part, was in 1988, and it's about a spaceship crew to investigate a derelict spaceship. They were a little too curious, I guess. Which led them to be hunted by a deadly extraterrestrial creature called Xenomorph. And yes, disclaimer is in place. Plot is explicit. I tried to take care of my wording. If not, I'm sorry.

The thing which made them a little curious was this cute little fellow who just wants to hug people. I guess if you're not up for a special souvenir, you should refrain, I guess, unlike the crew, which was not that careful. They explored a little too much and brung back a little souvenir. I do think Alien is a wonderful example of allegory on ejection because, yeah, the face hugger, it makes people to host. It could be a wonderful example for input validation bypass and the initial system penetration if an attacker gets their code implemented or compiled inside of your program. If you were hugged by the face hugger, the code injection takes place. I will just mention the name chestburster.

8. Injection and Defense against it

Short description:

If you were hugged by the face hugger, the code injection takes place. Alien leaving the host is a wonderful example of code execution and system compromise. Trusted sources, safe API, server-side input validation, SQL features, and sanitation are important measures against injection.

If you were hugged by the face hugger, the code injection takes place. I will just mention the name chestburster. People who saw the movie know what I'm talking about. When you become a host, there's an alien attached to you. At some point, the alien is big enough to live on its own. I don't get into detail but you can maybe see what I'm talking about. Because the alien will leave the host. And this is a wonderful example for code execution and system compromise, because the alien is out. It can wreak havoc, right?

Hello there. We haven't seen you more. And I guess it's not that friendly like the face hugger, right? Such as a complete system access is. And the resource consumption, it could be, too. So, yes, I do think Alien is perfect to explain injection. And this is the third rank in the ranking. So really important, especially for us frontend developers.

So what can we do? We should only use trusted sources, a safe API, which maybe even avoid interpreters or ORMs. So, there's less bigger injection vectors, so to say. We should try to think about server side input validation. We should use SQL features like limit or other controls so there's not that much data which will come into a compiler and escape special characters. And I know, yeah, we need to be careful when it comes to SQL structures, because users supplied structure names might be dangerous and might break some things. So it should be a combination of all those measures. The most important thing is sanitation. This is a simplified example I came up with to basically refer it back to Alien, right? It's like a defense against the injection, which is basically doing current time and decombination. So we will have a point, this if statement, where we try to detect host or patterns. And we'll throw an error if we see some, so the input is disregarded. And if not, we will do a decombination, like trying to throw away all the special characters we have. We can do it with libraries. We can build it on our own. We can do a combination of both, which I'm doing here. Like using DOM purifier to have an HTML sanitation, thinking about an SQL sanitation with the caveat of this user names.

9. Command Injection and Vulnerable Dependencies

Short description:

Command injection using Regex. The Blob movie as an allegory for vulnerable and outdated dependencies. Remove unnecessary dependencies, keep track of version numbers, obtain packages from trusted sources.

And a command injection. I like to use Regex for that. I have a small summary, but because we have not that much time left, I will hope that can either take a picture or I will share my slides afterwards so you can just look them up. But you can catch stuff like XSS, things like script tags, SQL injections, commands, and even more.

Okay. Let's fast forward because of the time, because I have one more rank, which is not on rank 4. But in my opinion, it's really important. And I want to introduce it to you with this little movie. It's called the Blob. It's from 1958. And it's again an alien, but it does different things than a xenomorph. And it crashes on earth. And it's like a big, I don't know how to call it, blob, thingy. I don't know how to describe it, but you can see it in this poster. It's growing because it consumes things and living beings and gets bigger, bigger, bigger. It's growing more red, aggressive, and bigger. And this is bad, right?

It's my favorite allegory on vulnerable and outdated dependencies. A big blob of technical depth. A big blob of dependencies which you don't know why you choose them. You don't know when you updated last time. And yes, it becomes more and more bigger and terrifying and difficult to test and difficult to fix. The obvious parallel is the blob growth, which is dependencies or technical debt. The consumption of the victims by the blob is how vulnerabilities and like technical depth could spread to even more potential security issues or risks. Because maybe you missed out on a security fix, right? And the growth is unstoppable of the blob, such as when it comes to unmanaged dependencies.

So yeah. What can you do? I will be a little more quick now. You should remove all dependencies you don't need anymore. You should have an inventory of all version numbers. Or at least try to follow up with social media or change logs to know if there's more updates. You should try to obtain all of your packages from trusted sources and secure links and not just like somewhere on the internet.

10. Monitoring Dependencies and General Security Rules

Short description:

Monitor and update libraries and tools. Use audit scripts and SNICK for security testing and updates. New OS branching coming next year. General security rules like staying together, asking for help, and checking tools for updates. Double check if the killer is really defeated.

And try to monitor if you have libraries in place or tools which are not maintained anymore. Because if it's not maintained, of course, you will not get security fixes. And last but not least, never ignore dependabot. Always update your dependencies.

Here there are some scripts you could think of, like doing the audit script, which will basically ask for a report of known vulnerabilities. You can fix it, outdated stuff. If something's outdated, you could use SNICK, which is a handy tool to test and have for security issues. And you basically update save. This is NPM check updates, helping you to upgrade all of your packages and dependencies to the latest versions.

There's a new OS branching coming in next year. As far as I know, they are collecting new data right now. So November, December this year. Okay.

I come to a close now. Let me sum it up with like general security horror movies rules. Like screen, basically. First, stay together as a team. Don't split up. Not even if you think it's a sneaky deal. For development, don't feel alone. Tackle issues with the communities. Don't be scared to ask for help. And we're all in this together when it comes to fighting security issues. Take care of your batteries.

In a horror movie, it's not that great to have an empty torch or an empty phone battery, just ask your tools. Try to check if they're up to date, if there's a new security issue or a patch, and just have a wonderful tool garden and nurture it. Double check if the killer is really defeated. So in a horror movie, sometimes people don't check if the killer's dead. And then they are super surprised that it's redescending. Same with your code.

11. Code Testing and Final Remarks

Short description:

Check your code, test thoroughly, and take warnings seriously. Thank you for joining me on this journey through horror movies. I'm Ramona, a developer advocate for Auth0.

Check your log in, test your code, test your fixes and see if it's really done. And last but not least, take your advice seriously. If there's a warning, there might be a reason for it, especially if it's clear and right in your face.

Well, thank you so much for being with me as a companion on my journey through horror movies. It made it way less scary for me. My name is Ramona, I work as a developer advocate for Auth0, and hopefully I will see you in a bit. Thank you so much for listening.

QnA

Social Engineering and Favorite Horror Movies

Short description:

Protecting against social engineering requires a combination of tools and human awareness. End-to-end testing and AI testing tools can help, but there will always be some uncertainty due to human behavior. It's important to train and educate people to prevent falling for internal phishing attempts. As for favorite horror movies, I recommend checking out the psychological horror movies from A24, such as Hereditary and Midsommar. For access control, I recommend the open source tool OpenFGA.

Thank you so much for listening.

Okay. So we have some questions here for you. Please. Someone is asking, how do you protect against social engineering? That's a good question. Is this virtually impossible? Well, of course you could check if some tools are on the market to help you, but of course people are people, right? I would advise to think for example, of course it's another discussion if it's effective or efficient or not, but you could always go for end-to-end testing, mimicking a user. So maybe that's a good idea. There are some AI testing tools out there, that could be an idea. And some predict things. I forgot the name, I will look it up, but these are the spontaneous things I would check out. But of course, people are being people. People are sometimes not rational. Even myself, I'm not always rational, so there's always a little uncertainty in it.

Yeah, definitely. I definitely have fallen for those internal phishing attempts. It makes it even more important to train people and to educate them.

Oh, wow. The next one is a popular question, and that is, what's your favorite horror movie? Ooh, that's an interesting one. Well, I love the A24 movies. So if you are into psychological horror movies, take a look at them. I'm not that much of a fan of Splatter or Gore, because I do think they have no better arguments to be shocking. So maybe Hereditary or Midsommar. Oh, those are really good ones. Love A24 and what they do. My first horror movie was The Ring. Oh yeah? I definitely have to check that out.

Okay, next one is from Matt. What was the open source tool you recommend for access control? It's called OpenFGA. I actually forgot to include a QR code, so just search for OpenFGA, or I guess I will add it real quick to my slides when I share them. Oh yeah, that sounds good.

Testing for Security and Conclusion

Short description:

To ensure security, testing tools like ZAP by Ovaas can be helpful, both open source and paid versions exist. Combining test automation is recommended. Take action and perform tests. Thank you for your time and applause.

Thanks for doing that.

Okay, we have questions from someone anonymous. Spooky. How do you test that something is secure? Well, there are some tools. I guess it's called ZAP by Ovaas, which you could take a look at. I'm not so sure how many open source versions of it are outside, but there are definitely some paid tools. And I actually saw a Cypress Hybrid with ZAP. It's pretty old. Hopefully, maybe I can find some time to try to update it or anyone else in the open source community. Combining test automation is a good idea, because hopefully I've already had some tests.

Yeah, so was that a call to action for the people here to update it? Oh yeah, do your tests, please. Sounds good.

Well, that's all the time we have. What a lovely talk. Lovely as in spooky, I guess that's a compliment for the talk. Thank you so much.

Yeah, thank you for your time. And you can find Ramona outside, or do you have a discussion room coming up? Is that right? No, there's no discussion room. So you should find me in the Q&A.

Every room with Ramona will be a discussion room. So all right. Thank you. Thank you so much. Applause.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Top Content
The talk discusses the importance of supply chain security in the open source ecosystem, highlighting the risks of relying on open source code without proper code review. It explores the trend of supply chain attacks and the need for a new approach to detect and block malicious dependencies. The talk also introduces Socket, a tool that assesses the security of packages and provides automation and analysis to protect against malware and supply chain attacks. It emphasizes the need to prioritize security in software development and offers insights into potential solutions such as realms and Deno's command line flags.
The State of Passwordless Auth on the Web
JSNation 2023JSNation 2023
30 min
The State of Passwordless Auth on the Web
Passwords are terrible and easily hacked, with most people not using password managers. The credential management API and autocomplete attribute can improve user experience and security. Two-factor authentication enhances security but regresses user experience. Passkeys offer a seamless and secure login experience, but browser support may be limited. Recommendations include detecting Passkey support and offering fallbacks to passwords and two-factor authentication.
5 Ways You Could Have Hacked Node.js
JSNation 2023JSNation 2023
22 min
5 Ways You Could Have Hacked Node.js
Top Content
The Node.js security team is responsible for addressing vulnerabilities and receives reports through HackerOne. The Talk discusses various hacking techniques, including DLL injections and DNS rebinding attacks. It also highlights Node.js security vulnerabilities such as HTTP request smuggling and certification validation. The importance of using HTTP proxy tunneling and the experimental permission model in Node.js 20 is emphasized. NearForm, a company specializing in Node.js, offers services for scaling and improving security.
Content Security Policy with Next.js: Leveling Up your Website's Security
React Summit US 2023React Summit US 2023
9 min
Content Security Policy with Next.js: Leveling Up your Website's Security
Top Content
Watch video: Content Security Policy with Next.js: Leveling Up your Website's Security
Lucas Estevão, a Principal UI Engineer and Technical Manager at Avenue Code, discusses how to implement Content Security Policy (CSP) with Next.js to enhance website security. He explains that CSP is a security layer that protects against cross-site scripting and data injection attacks by restricting browser functionality. The talk covers adding CSP to an XJS application using meta tags or headers, and demonstrates the use of the 'nonce' attribute for allowing inline scripts securely. Estevão also highlights the importance of using content security reports to identify and improve application security.
How React Applications Get Hacked in the Real-World
React Summit 2022React Summit 2022
7 min
How React Applications Get Hacked in the Real-World
Top Content
How to hack a RealWorld live React application in seven minutes. Tips, best practices, and pitfalls when writing React code. XSS and cross-site scripting in React. React's secure by default, but not always. The first thing to discover: adding a link to a React application. React code vulnerability: cross-site scripting with Twitter link. React doesn't sanitize or output H ref attributes. Fix attempts: detect JavaScript, use dummy hashtag, transition to lowercase. Control corrector exploit. Best practices: avoid denialist approach, sanitize user inputs. React's lack of sanitization and output encoding for user inputs. Exploring XSS vulnerabilities and the need to pretty print JSON. The React JSON pretty package and its potential XSS risks. The importance of context encoding and secure coding practices.
Let Me Show You How React Applications Get Hacked in the Real-World
React Advanced 2021React Advanced 2021
22 min
Let Me Show You How React Applications Get Hacked in the Real-World
Top Content
React's default security against XSS vulnerabilities, exploring and fixing XSS vulnerabilities in React, exploring control characters and security issues, exploring an alternative solution for JSON parsing, and exploring JSON input and third-party dependencies.

Workshops on related topic

Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs
JSNation US 2024JSNation US 2024
148 min
Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs
Featured Workshop
Gregor Biswanger
Gregor Biswanger
In this hands-on workshop, you will be equipped with the tools to effectively test the security of web applications. This course is designed for beginners as well as those already familiar with web application security testing who wish to expand their knowledge. In a world where websites play an increasingly central role, ensuring the security of these technologies is crucial. Understanding the attacker's perspective and knowing the appropriate defense mechanisms have become essential skills for IT professionals.This workshop, led by the renowned trainer Gregor Biswanger, will guide you through the use of industry-standard pentesting tools such as Burp Suite, OWASP ZAP, and the professional pentesting framework Metasploit. You will learn how to identify and exploit common vulnerabilities in web applications. Through practical exercises and challenges, you will be able to put your theoretical knowledge into practice and expand it. In this course, you will acquire the fundamental skills necessary to protect your websites from attacks and enhance the security of your systems.
0 to Auth in an hour with ReactJS
React Summit 2023React Summit 2023
56 min
0 to Auth in an hour with ReactJS
WorkshopFree
Kevin Gao
Kevin Gao
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool. There are multiple alternatives that are much better than passwords to identify and authenticate your users - including SSO, SAML, OAuth, Magic Links, One-Time Passwords, and Authenticator Apps.
While addressing security aspects and avoiding common pitfalls, we will enhance a full-stack JS application (Node.js backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session securely for subsequent client requests, validating / refreshing sessions- Basic Authorization - extracting and validating claims from the session token JWT and handling authorization in backend flows
At the end of the workshop, we will also touch other approaches of authentication implementation with Descope - using frontend or backend SDKs.
OWASP Top Ten Security Vulnerabilities in Node.js
JSNation 2024JSNation 2024
97 min
OWASP Top Ten Security Vulnerabilities in Node.js
Workshop
Marco Ippolito
Marco Ippolito
In this workshop, we'll cover the top 10 most common vulnerabilities and critical security risks identified by OWASP, which is a trusted authority in Web Application Security.During the workshop, you will learn how to prevent these vulnerabilities and develop the ability to recognize them in web applications.The workshop includes 10 code challenges that represent each of the OWASP's most common vulnerabilities. There will be given hints to help solve the vulnerabilities and pass the tests.The trainer will also provide detailed explanations, slides, and real-life examples in Node.js to help understand the problems better. Additionally, you'll gain insights from a Node.js Maintainer who will share how they manage security within a large project.It's suitable for Node.js Developers of all skill levels, from beginners to experts, it requires a general knowledge of web application and JavaScript.
Table of contents:- Broken Access Control- Cryptographic Failures- Injection- Insecure Design- Security Misconfiguration- Vulnerable and Outdated Components- Identification and Authentication Failures- Software and Data Integrity Failures- Security Logging and Monitoring Failures- Server-Side Request Forgery
How to Build Front-End Access Control with NFTs
JSNation 2024JSNation 2024
88 min
How to Build Front-End Access Control with NFTs
WorkshopFree
Solange Gueiros
Solange Gueiros
Understand the fundamentals of NFT technology and its application in bolstering web security. Through practical demonstrations and hands-on exercises, attendees will learn how to seamlessly integrate NFT-based access control mechanisms into their front-end development projects.
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
JSNation 2022JSNation 2022
99 min
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
Workshop
Matthew Salmon
Matthew Salmon
npm and security, how much do you know about your dependencies?Hack-along, live hacking of a vulnerable Node app https://github.com/snyk-labs/nodejs-goof, Vulnerabilities from both Open source and written code. Encouraged to download the application and hack along with us.Fixing the issues and an introduction to Snyk with a demo.Open questions.
Bring Code Quality and Security to your CI/CD pipeline
DevOps.js Conf 2022DevOps.js Conf 2022
76 min
Bring Code Quality and Security to your CI/CD pipeline
Workshop
Elena Vilchik
Elena Vilchik
In this workshop we will go through all the aspects and stages when integrating your project into Code Quality and Security Ecosystem. We will take a simple web-application as a starting point and create a CI pipeline triggering code quality monitoring for it. We will do a full development cycle starting from coding in the IDE and opening a Pull Request and I will show you how you can control the quality at those stages. At the end of the workshop you will be ready to enable such integration for your own projects.