Build Secure User Interfaces Using JSON Web Tokens (JWTs)

Track: JavaScript
Skill Level: Intermediate
Room: Room A411
Time Slot: Tue 2/16, 2:30 PM
Tags: jwts , authentication , angularjs , nodejs , security , rest apis
Abstract

With new tools like Angularjs and Nodejs, it is easier than ever to build User Interfaces for the systems that you manage. But how to do it securely? Web browsers are woefully insecure, and hand-rolled APIs are risky.

JSON Web Tokens (JWTs) are being prescribed as a panacea for webapp security, but you need to know your security basics before you can implement them with peace of mind. JWTs are a great mechanism for persisting authentication information in a verifiable and stateless way, but that token still needs to be stored somewhere.

In this talk, Robert Damphousse, lead front-end developer at Stormpath, will explain the security loopholes in web browsers, and what you can do about them keeping your JWTs safe and secure. Topics covered include:

  • Web browser security issues like XSS, user credential security, managing access control information, Man in the Middle attacks (MitM), and Cross-Site Request Forgery (CSRF).
  • How you can mitigate potential security risks.
  • Security issues and implementation tips across the entire stack.
  • What you need to know about cookies.
  • Infrastructure issues with session identifiers.
  • How to issue JSON Web Tokens (JWTs) to secure the browser application.

Robert will demonstrate these points with a simple single-page-application, built with Angular.js, and backed by a REST API.

Robert Damphousse

Robert Damphousse is the Lead Front-End Developer at Stormpath.

Prior to Stormpath, he was the Director of Engineering at Colingo, a 24/7 online language school where he specialized in full-¬≠stack Javascript environments and immersive browser-¬≠based applications with realtime technologies. When he’s not coding, you’ll find Robert working on more physical projects, whether that’s building hardware or converting a 1952 school bus into an RV.