The Final Frontier: Security APIs in Modern Browsers - Christian Wenz - NDC Oslo 2024

Christian Wenz

Discover essential browser security features like CSP, CORS, and security headers. Learn best practices for cookies, XSS prevention, and authentication in modern web apps.

Key takeaways
  • Content Security Policy (CSP) is a critical browser security feature that helps prevent XSS attacks by controlling which resources can be loaded and executed

  • Same-origin policy restricts JavaScript code to only access resources from the same origin (protocol, domain, port)

  • Modern browsers provide several security headers to enhance protection:

    • Strict-Transport-Security (HSTS) to enforce HTTPS
    • Content-Security-Policy to control resource loading
    • Same-Site cookies to prevent CSRF attacks
    • Referrer-Policy to control URL leakage
    • X-Frame-Options to prevent clickjacking
  • Cookie security best practices:

    • Use Secure flag for HTTPS-only
    • Use HttpOnly flag to prevent JavaScript access
    • Implement Same-Site attribute
    • Consider cookie prefixes for additional security
  • Cross-Site Scripting (XSS) remains a major threat:

    • Sanitize user input
    • Avoid innerHTML when possible
    • Use CSP to restrict script execution
    • Implement proper encoding
    • Consider using the Trusted Types API
  • Don’t store authentication tokens in localStorage - use cookies with proper security flags instead

  • Use subresource integrity (SRI) when loading resources from CDNs to prevent malicious code injection

  • Implement proper CSRF protection:

    • Use anti-CSRF tokens
    • Leverage Same-Site cookies
    • Validate request origins
  • For legacy applications, use CSP in report-only mode first to identify potential issues before enforcement

  • Defense in depth is key - implement multiple security controls rather than relying on a single protection mechanism