Thank you so much for this info. So I have SSL, CORS, JWT Token based and I'll try to mitigate all the XSS I can,
The issue I have now is that I'm concerned about the possibility someone could grab my JWT token that I have saved thru localforage (which, according to browser capabilities, saves to IndexedDB, WebSQL or LocalStorage). Any good practices you know (besides XSS) in order to avoid that? Regards! El jueves, 4 de diciembre de 2014 22:30:21 UTC-6, Sander Elias escribió: > > Hi Alberto, > > Lets start of with a link: > > http://www.academia.edu/5475280/An_Investigation_into_Possible_Attacks_on_HTML5_IndexedDB_and_their_Prevention > and another one: > https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet > > Done reading that? Good. > The first thing in web-app security is, that there is no security. > Number 1 concern in our line of business: > *do not trust the client *(where the client is the program connecting to > your server, your not even sure it's a browser!) > > things you have to do to get at least a little security: > > 1. HTTPS > 2. enable CORS > 3. no 3rth party extensions (meaning: no advertising, no social stuff, > no untrusted CDN's, nothing coming from another origin basically) > > If you have all of that, you might be reasonable safe, However, your uses > might have installed some plugins into his browser. Problem! > Plugins can still access your indexedDB. > > Bottom line, if you have something that needs to be stored at an safe > location, the browser is not a platform you can use! Store it on your > server. > > Regards > Sander > > > > > > > -- You received this message because you are subscribed to the Google Groups "AngularJS" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/angular. For more options, visit https://groups.google.com/d/optout.
