Andreas Falk has been working on enterprise application development projects for more than twenty years.
Currently, he is working as a managing consultant for Novatec Consulting, located in Germany. In various projects, he has since been around as an architect, developer, coach, and trainer. His focus is on the agile development of cloud-native enterprise Java applications using the complete Spring platform. As the lead of agile security at Novatec Consulting and a member of the Open Web Application Security Project (OWASP), he likes to have a closer look at all aspects of application security as well.
Andreas is also a frequent speaker at conferences like Devoxx, Spring I/O, CloudFoundry Summit, and OWASP.
However, from a security perspective, SPAs bring a much higher risk compared to server-side web applications such as Spring MVC.
In this talk, we will look at the popular SPA libraries Angular, React and Vue and take a closer look at their security aspects. In particular, we will look at security risks such as cross-site scripting (XSS), cross-site request forgery (CSRF), token-based authentication risks, and CORS misconfigurations.
In order not to leave developers unprotected in the rain, we will analyze the built-in defenses of the various SPA libraries or frameworks and show what steps are required beyond that for developers. So be prepared for some XSS popups to appear in your favorite SPAs.