A single-page application means putting a lot of traditionally server-side internals in the great unknown of a client's browser. The move of data and logic towards frontend requires a different model for application security. In addition to old foes like cross-site scripting, we now have to consider concepts like local storage, routing, JWTs and OAuth2 frameworks, and understand their implications in locking down our apps. Let's clear up the confusion and zero in on thew approaches and techniques you need to secure your React app.
We'll examine several layers of security relevant to React apps, including UI-level security (preventing XSS attacks and securing routes with React Router and Higher-Order Components), and API security using JWTs and third-party authentication-providers.
Come see how easy it is to build fast, accurate, and responsive web UIs using the React library. Even if you’ve never written Javascript before, React’s straightforward syntax can get you started with your UI project quickly. In this session, you’ll learn about React’s declarative syntax and state representation, explore some of the basic components that are used to build sophisticated UIs, and leave with a foundational application you can continue to build on.
Introduction to React in combination with Redux. Redux helps you to develop applications in a simple way while having features like time-travel available during development.
Tutorial Videos: https://www.youtube.com/playlist?list=PLD8nQCAhR3tQ7KXnvIk_v_SLK-Fb2y_k_
Day 1 : Introduction to React, Babel and Webpack
Prerequisites of starting the workshop ( Basic understanding of Node & Express )
What is Virtual DOM?
What is React and why should we use it?
Install and set up React:
a-Using create-react-app
b-From scratch using Babel and Webpack. We will use Webpack Dev Server.
Day 2 : React Basic Concepts
Types of Components: Class-based and Functional based Components
Use of JSX
Parent, Child, and Nested Components
Difference between State and Props
Create and Handle Routes
Component Lifecycle Methods
Create a form and handling form inputs
Use of arrow functions and Spread Operator
Day 3: Advanced Concepts in React
Use of Refs
What are Higher Order Components( HOC )?
How to use HOC
Understanding Context in React
Come see how easy it is to build fast, accurate, and responsive web UIs using the React library. Even if you’ve never written Javascript before, React’s straightforward syntax can get you started with your UI project quickly. In this session, you’ll learn about React’s declarative syntax and state representation, explore some of the basic components that are used to build sophisticated UIs, and leave with a foundational application you can continue to build on.
Introduction to React in combination with Redux. Redux helps you to develop applications in a simple way while having features like time-travel available during development.
Tutorial Videos: https://www.youtube.com/playlist?list=PLD8nQCAhR3tQ7KXnvIk_v_SLK-Fb2y_k_
Day 1 : Introduction to React, Babel and Webpack
Prerequisites of starting the workshop ( Basic understanding of Node & Express )
What is Virtual DOM?
What is React and why should we use it?
Install and set up React:
a-Using create-react-app
b-From scratch using Babel and Webpack. We will use Webpack Dev Server.
Day 2 : React Basic Concepts
Types of Components: Class-based and Functional based Components
Use of JSX
Parent, Child, and Nested Components
Difference between State and Props
Create and Handle Routes
Component Lifecycle Methods
Create a form and handling form inputs
Use of arrow functions and Spread Operator
Day 3: Advanced Concepts in React
Use of Refs
What are Higher Order Components( HOC )?
How to use HOC
Understanding Context in React
NgRx is a framework for building reactive applications in Angular with the Management of States. NgRx is inspired by the Redux pattern - unifying the events in your application and deriving state using RxJS.
At a high level, NgRx stores a single state and uses actions to express state changes. It makes Angular development easier by simplifying the application’s state in objects and enforcing unidirectional data flow.
It is established with 5 main components - Store, Actions, Reducers, Selectors, and Effects.
Getting started with the reactjs, basics of reactjs, introduction of reactjs, core concepts of reactjs and comparison with the other libraries/frameworks
A step towards the way you write the code in React application.In this presentation, I have given introduction about React hooks. Why we need it in our react applications and describe about the two most commonly used React Hooks API useState and useEffect. I also given the links of code snippets I added in these slides
ReactJS is arguably the most popular Javascript framework around for web development today. With more and more teams exploring and adopting React, here is TechTalks presentation elaborating fundamentals of React, in a code along session
Plain React detects changes by re-rendering your whole UI into a virtual DOM and then comparing it to the old version. Whatever changed, gets patched to the real DOM.
React Router is the most widely used router for React, in use by almost half of all React projects. This talk is about using React Router in your project. It will start with the basics and will go through all features React Router has to offer in the current version and the upcoming 1.0 release. I will also go through some common problems including data fetching and authentication.
by Nader Dabit, Developer Advocate, AWS
We want to complement our awesome web site with an equally awesome mobile application for both iOS and Android that can be deployed from the mobile app stores. In this session, Nader Dabit will take you from Hello World to building a beautiful responsive mobile application using React Native.
The session will provide the knowledge about react page life cycle and how more precise actions or operations can be performed using react hooks concepts
Spring Security is a security solution for enterprise applications developed
using the Spring Framework.
Out of the box Spring Security provide support for OpenID, ACL, Groups, JSR 250 Security Annotation and can be easily integrated with OAuth and RESTful systems.
In this presentation we will see how to use Spring Security to switch a RESTful webapp from a classical authentication/authorization to OpenID authentication, OAuth authorization and how to use the Spring Security ACL for your Domain Objects.
Technical Architecture of RASP TechnologyPriyanka Aash
APPSEC CHALLENGES
- Writing Secure Code is not Easy
- Most follows agile development strategies
- Frequent releases and builds
- Any release can introduce or reintroduce vulnerabilities
- Problems by design.
Ex: Session Hijacking, Credential Stuffing
NgRx is a framework for building reactive applications in Angular with the Management of States. NgRx is inspired by the Redux pattern - unifying the events in your application and deriving state using RxJS.
At a high level, NgRx stores a single state and uses actions to express state changes. It makes Angular development easier by simplifying the application’s state in objects and enforcing unidirectional data flow.
It is established with 5 main components - Store, Actions, Reducers, Selectors, and Effects.
Getting started with the reactjs, basics of reactjs, introduction of reactjs, core concepts of reactjs and comparison with the other libraries/frameworks
A step towards the way you write the code in React application.In this presentation, I have given introduction about React hooks. Why we need it in our react applications and describe about the two most commonly used React Hooks API useState and useEffect. I also given the links of code snippets I added in these slides
ReactJS is arguably the most popular Javascript framework around for web development today. With more and more teams exploring and adopting React, here is TechTalks presentation elaborating fundamentals of React, in a code along session
Plain React detects changes by re-rendering your whole UI into a virtual DOM and then comparing it to the old version. Whatever changed, gets patched to the real DOM.
React Router is the most widely used router for React, in use by almost half of all React projects. This talk is about using React Router in your project. It will start with the basics and will go through all features React Router has to offer in the current version and the upcoming 1.0 release. I will also go through some common problems including data fetching and authentication.
by Nader Dabit, Developer Advocate, AWS
We want to complement our awesome web site with an equally awesome mobile application for both iOS and Android that can be deployed from the mobile app stores. In this session, Nader Dabit will take you from Hello World to building a beautiful responsive mobile application using React Native.
The session will provide the knowledge about react page life cycle and how more precise actions or operations can be performed using react hooks concepts
Spring Security is a security solution for enterprise applications developed
using the Spring Framework.
Out of the box Spring Security provide support for OpenID, ACL, Groups, JSR 250 Security Annotation and can be easily integrated with OAuth and RESTful systems.
In this presentation we will see how to use Spring Security to switch a RESTful webapp from a classical authentication/authorization to OpenID authentication, OAuth authorization and how to use the Spring Security ACL for your Domain Objects.
Technical Architecture of RASP TechnologyPriyanka Aash
APPSEC CHALLENGES
- Writing Secure Code is not Easy
- Most follows agile development strategies
- Frequent releases and builds
- Any release can introduce or reintroduce vulnerabilities
- Problems by design.
Ex: Session Hijacking, Credential Stuffing
Single Page Apps bring a unique set of concerns to authentication and user management. Robert Damphousse, lead Javascript engineer at Stormpath, will show you how to use Stormpath to secure an Angular.js app with any backend: Java, Node, PHP, .NET and more!
Robert will deep dive into Angular.js authentication best practices and an extended technical example. Join us!
Topics Covered:
- Authentication in Single Page Apps (SPA)
- Using JWTs instead of Session IDs
- Secure Cookie storage
- Cross-Origin Resource Sharing
- Where does Stormpath fit in your architecture?
- End-to-end example with Angular.js + Express.js
- Password-based registration and login
- How to secure your API endpoints
- Implement User Authorization
- Design for a frictionless User Experience
Pentesting RESTful webservices talks about problems penetration testers face while testing RESTful Webservices and REST based web applications. The presentation also talks about tools and techniques to do pentesting of RESTful webservices.
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
Your MongoDB Community Edition database can probably be a lot more secure than it is today, since Community Edition provides a wide range of capabilities for securing your system, and you are probably not using them all. If you are worried about cyber-threats, take action reduce your anxiety!
The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, the tools and services AWS makes available to customers to secure and manage their resources and best practices on how to use them.
This session is recommended for anyone with questions about how AWS can meet the compliance requirements of their applications.
Vladimir Melnik from Tucha Cloud Services in the Ukraine, another company running IaaS services on Apache Cloudstack. Vladimir is the original author and maintainer of Monkeyman, a perl5 framework for Apache CloudStack automation
SAP is the most popular business application. There are more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored.
The presentation describes how SAP Portal works and kinds of attacks it can be exposed to.
Whether you build software for enterprises, mobile, or internal microservices, security is important. Standards like SAML, OIDC, and SPIFFE help you solve identity and authentication, but for them authorization is out of scope. When you need to control "who can do what" in your app, you are on your own.
To solve authorization, you may be tempted to hardcode logic against SAML assertions, scopes, or X.509 certificate attributes. But, approaches like this lead to systems that are hard to understand and painful to maintain.
This talk shows how to leverage the Open Policy Agent (which is used by companies like Netflix and Chef) to build a powerful authorization system on top of industry-standard authentication protocols. The talk showcases how decoupling leads to authorization solutions that are easier to understand while enabling fine-grained control over the app.
AtlasCamp 2014: Building a Production Ready Connect Add-onAtlassian
Atlassian Connect add-ons are SaaS applications. Building and running them means planning with operations in mind: where should you host your add-on? What's the best way to deploy it? How can you monitor it once it's live? How much will it cost to run? We'll draw from Atlassian's experiences building Who's Looking for OnDemand (a production Connect add-on installed in 750 instances with 15,000 active users) to explore tips and best practices to help answer these questions and more.
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
Native Cloud-Native: Building Agile Microservices with the Micronaut FrameworkZachary Klein
This talk is a fast-paced introduction to the Micronaut framework, from creating the first app to orchestrating a microservice federation and deploying to the cloud. We will cover the basics of writing Micronaut apps, communication between services, building for resiliency, managing configuration, and deploying to a cloud provider. By the time we’re finished, you’ll have a good understanding of both the distinctives and features of the framework and be ready to start building and deploying your own apps with Micronaut. Buckle up!
Sample code: https://github.com/ZacharyKlein/hello-devnexus23
Groovy-Powered Microservices with MicronautZachary Klein
The Micronaut Framework makes building performant microservices and serverless applications with Groovy not only practical, but enjoyable! Using AST transformations and AOT compilation, Micronaut helps Groovy to shine by reducing the runtime overhead incurred by traditional frameworks, and this, together with Groovy's support for static compilation, allows you to play your favorite JVM languages to its strengths without compromising runtime performance. Come learn how Micronaut can help make your next cloud, serverless or IOT project a Groovy reality!
In an era of microservices and cloud computing, Micronaut incorporates support for cloud-friendly reliability patterns - from load balancing and circuit breakers to shared configuration and service discovery - and makes these features available and easily configurable from within your application. From the ground up, Micronaut applications are "natively" cloud-native.
The Micronaut framework values at the core, enabling code simplicity and developer productivity. Micronaut offers many additional features for a new class of applications (e.g., microservices, serverless deployments, etc.) that may not be well-suited for monoliths.
Grails 4 takes the powerful and flexibility of the Grails framework to a new level, with the latest versions of core frameworks like Spring 5.1, Spring Boot 2.1, Gradle 5, and Groovy 2.5. Additionally, Micronaut is now part of the Grails foundation, allowing many powerful features from Micronaut to be used natively within your Grails apps. In this talk, we’ll look at how you can upgrade your Grails 3 project (with a little aside for Grails 2 projects as well) to Grails 4, and get a taste of the new features at your disposal in this exciting new release.
Getting Groovy with JHipster and MicronautZachary Klein
JHipster is a rapid development platform that makes it easy to build modern JavaScript frontends backed by JVM microservices, including support for Micronaut. This allows you to produce microservice or monolith projects quickly, with plenty of customization options and a project structure that illustrates best practices when developing with Micronaut. As Micronaut is a JVM framework, it is compatible with Groovy, making it easy to use the Groovy language for tests (with Spock) and for general purpose application code, even within standard Java project.
This talk is a fast-paced introduction to the Micronaut framework, from creating the first app to orchestrating a microservice federation and deploying to the cloud. We will cover the basics of writing Micronaut apps, communication between services, building for resiliency, managing configuration, and deploying to a cloud provider. By the time we’re finished, you’ll have a good understanding of the features of the framework and be ready to start building and deploying your own apps with Micronaut. Buckle up and start the countdown!
Groovy is a powerful, agile and dynamic language for the Java platform. Groovy has a Java like syntax along with many features inspired by languages such as Python, Ruby and Smalltalk. The language has been embraced by popular frameworks including Grails, Micronaut, Spring Boot and many others. This session covers a lot of ground to quickly get Java developers started with Groovy including many interactive examples to highlight the powerful language features that make Groovy compelling. This session is targeted to demonstrate the power of Groovy and help Java developers understand how to leverage that power in their enterprise applications.
Single Page App (SPA) frameworks offer many benefits over traditional web apps which do all of their HTML generation on the server side. Popular SPA frameworks include Vue, React and Angular. Micronaut is very well suited for publishing REST APIs and is a terrific fit for implementing backend logic for SPAs.
Grails Launchpad - From Ground Zero to OrbitZachary Klein
Building upon Spring Boot, Grails offers a slew of developer-productivity enhancements without sacrificing any of the benefits of “vanilla” Boot. Whether you're altogether new to Grails, or your last Grails project was a 1.x-era scaffolding app, this workshop will help you (re)discover the power and agility of this dynamic web framework.
We'll start from scratch with the latest version of Grails and showcase the latest tools and tricks that the framework has to offer, starting with the MVC basics and scaling up to newer and/or more advanced features, including Interceptors, RESTful APIs, SPAs, Angular scaffolding, Multi-tenancy, and GraphQL schema generation.
Room with a Vue - Introduction to Vue.jsZachary Klein
Angular has brought MVC & dependency injection to the browser, while React nudges developers towards a simpler, functional approach to view rendering. What if there was a tool that took the best ideas from both of these titans, giving us simple, expressive components while still including enough “magic” to significantly boost developer productivity?
Enter Vue.js
In this talk we’ll get to know this new kid on the frontend block, contrast Vue with it’s better known rivals. We’ll explore the ecosystem: state management with Vuex, routing with Vue-router - and see why Vue.js might not be just another JavaScript framework.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...Hivelance Technology
Cryptocurrency trading bots are computer programs designed to automate buying, selling, and managing cryptocurrency transactions. These bots utilize advanced algorithms and machine learning techniques to analyze market data, identify trading opportunities, and execute trades on behalf of their users. By automating the decision-making process, crypto trading bots can react to market changes faster than human traders
Hivelance, a leading provider of cryptocurrency trading bot development services, stands out as the premier choice for crypto traders and developers. Hivelance boasts a team of seasoned cryptocurrency experts and software engineers who deeply understand the crypto market and the latest trends in automated trading, Hivelance leverages the latest technologies and tools in the industry, including advanced AI and machine learning algorithms, to create highly efficient and adaptable crypto trading bots
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Strategies for Successful Data Migration Tools.pptxvarshanayak241
Data migration is a complex but essential task for organizations aiming to modernize their IT infrastructure and leverage new technologies. By understanding common challenges and implementing these strategies, businesses can achieve a successful migration with minimal disruption. Data Migration Tool like Ask On Data play a pivotal role in this journey, offering features that streamline the process, ensure data integrity, and maintain security. With the right approach and tools, organizations can turn the challenge of data migration into an opportunity for growth and innovation.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Your Digital Assistant.
Making complex approach simple. Straightforward process saves time. No more waiting to connect with people that matter to you. Safety first is not a cliché - Securely protect information in cloud storage to prevent any third party from accessing data.
Would you rather make your visitors feel burdened by making them wait? Or choose VizMan for a stress-free experience? VizMan is an automated visitor management system that works for any industries not limited to factories, societies, government institutes, and warehouses. A new age contactless way of logging information of visitors, employees, packages, and vehicles. VizMan is a digital logbook so it deters unnecessary use of paper or space since there is no requirement of bundles of registers that is left to collect dust in a corner of a room. Visitor’s essential details, helps in scheduling meetings for visitors and employees, and assists in supervising the attendance of the employees. With VizMan, visitors don’t need to wait for hours in long queues. VizMan handles visitors with the value they deserve because we know time is important to you.
Feasible Features
One Subscription, Four Modules – Admin, Employee, Receptionist, and Gatekeeper ensures confidentiality and prevents data from being manipulated
User Friendly – can be easily used on Android, iOS, and Web Interface
Multiple Accessibility – Log in through any device from any place at any time
One app for all industries – a Visitor Management System that works for any organisation.
Stress-free Sign-up
Visitor is registered and checked-in by the Receptionist
Host gets a notification, where they opt to Approve the meeting
Host notifies the Receptionist of the end of the meeting
Visitor is checked-out by the Receptionist
Host enters notes and remarks of the meeting
Customizable Components
Scheduling Meetings – Host can invite visitors for meetings and also approve, reject and reschedule meetings
Single/Bulk invites – Invitations can be sent individually to a visitor or collectively to many visitors
VIP Visitors – Additional security of data for VIP visitors to avoid misuse of information
Courier Management – Keeps a check on deliveries like commodities being delivered in and out of establishments
Alerts & Notifications – Get notified on SMS, email, and application
Parking Management – Manage availability of parking space
Individual log-in – Every user has their own log-in id
Visitor/Meeting Analytics – Evaluate notes and remarks of the meeting stored in the system
Visitor Management System is a secure and user friendly database manager that records, filters, tracks the visitors to your organization.
"Secure Your Premises with VizMan (VMS) – Get It Now"
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
2. SHIELDS UP - SECURING REACT APPS
ABOUT US
▸ Me: Zachary Klein
▸ Based in St Louis, MO
▸ Web dev at Object Computing,
▸ Specialize in Grails & frontend
development
3. SHIELDS UP - SECURING REACT APPS
ABOUT US
▸ My company: Object Computing,
Inc
▸ Based in St Louis, MO
▸ Consulting and training
provider (24+ years experience)
▸ Corporate sponsor to the Grails
framework and Groovy
language
▸ https://objectcomputing.com
4.
5. SHIELDS UP - SECURING REACT APPS
ABOUT US
▸ Grails: A dynamic, flexible web application framework
▸ Built on top of Spring Boot
▸ First-class support for REST APIs
▸ Profiles for building applications using React,
Angular, Webpack, and RESTful backends
▸ Powerful persistence layer with GORM - supports
Hibernate, MongoDb, Neo4J, GraphQL, and more
▸ Rich plugin ecosystem: 200+ plugins and growing
▸ Active community and commercial support available.
▸ https://grails.org
9. SHIELDS UP - SECURING REACT APPS
ABOUT US
▸ You:
▸?
10. SHIELDS UP - SECURING REACT APPS
OVERVIEW
▸ Security in the world of SPAs
▸ Client-side security
▸ Cross-site-scripting Prevention
▸ Role-based Routing
▸ Server-side security*
▸ Stateless Authentication
▸ Third-party authentication
11. SHIELDS UP - SECURING REACT APPS
WHAT ARE WE PREVENTING?
▸ Unauthorized access to data
▸ Unauthorized access to UI
▸ Unexpected input
12. SHIELDS UP - SECURING REACT APPS
WHAT ARE WE PREVENTING?
▸ Unauthorized access to data
▸ API authentication
▸ Local storage
▸ Unauthorized access to UI
▸ Unexpected input
13. SHIELDS UP - SECURING REACT APPS
WHAT ARE WE PREVENTING?
▸ Unauthorized access to data
▸ API authentication
▸ Local storage
▸ Unauthorized access to UI
▸ Role-based Routing
▸ Unexpected input
14. SHIELDS UP - SECURING REACT APPS
WHAT ARE WE PREVENTING?
▸ Unauthorized access to data
▸ API authentication
▸ Local storage
▸ Unauthorized access to UI
▸ Role-based Routing
▸ Unexpected input
▸ Cross-site scripting (XSS)
15. SHIELDS UP - SECURING REACT APPS
WHAT ARE WE PREVENTING?
▸ Unauthorized access to data
▸ API authentication
▸ Local Storage
▸ Unauthorized access to UI
▸ Role-based Routing
▸ Unexpected input
▸ Cross-site scripting (XSS)
16. SHIELDS UP - SECURING REACT APPS
WHAT ARE WE PREVENTING?
▸ Unauthorized access to data
▸ API authentication
▸ Local Storage
▸ Unauthorized access to UI
▸ Role-based Routing
▸ Unexpected input
▸ Cross-site scripting (XSS)
17. SHIELDS UP - SECURING REACT APPS
CROSS SITE SCRIPTING & REACT
▸ React is XSS-safe by default
▸ Potential loopholes - href, formaction
▸ Server-side rendered content
▸ dangerouslySetInnerHTML
18. SHIELDS UP - SECURING REACT APPS
CROSS SITE SCRIPTING & REACT
▸ React is XSS-safe by default
▸ Potential loopholes - href, formaction
▸ Server-side rendered content
▸ dangerouslySetInnerHTML
▸ Third-part JavaScript
19. SHIELDS UP - SECURING REACT APPS
LOCAL STORAGE
▸ Local storage by design is only available to the same domain
▸ If an XSS attack is successful, storage is compromised
▸ Alternative is to use cookies with secure & httpOnly flags for storage
▸ But… cookies are vulnerable to Cross-Site-Request-Forgery attacks
▸ https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-
html5-web-storage
▸ Node CSRF Token generator: https://www.npmjs.com/package/csurf
20. SHIELDS UP - SECURING REACT APPS
CROSS SITE SCRIPTING & REACT
DEMO
21. SHIELDS UP - SECURING REACT APPS
ROLE-BASED AUTHORIZATION & ROUTING
▸ Routing allows SPAs to expose “URLS” within the app
▸ Most popular JavaScript frameworks either include a
router or support third-party libraries
▸ React-Router, Ng-Router, UI-Router, Vue-Router, etc
▸ Based on the URL, query params, and other criteria,
different content will be rendered
▸ Either hash-based history or HTML 5 browser history
http://myapp.com/#/my/route http://myapp.com/my/route
22. SHIELDS UP - SECURING REACT APPS
ROLE-BASED AUTHORIZATION & ROUTING
▸ User authorization vs authentication
▸ Some content should only be available to certain users
▸ E.g, admin screens, payroll management…
▸ Resources need to be secured at the server
▸ UI functionality and routes may still need to be secured
23. SHIELDS UP - SECURING REACT APPS
ROLE-BASED AUTHORIZATION & ROUTING
▸ Simple Approach
▸ Store current user roles in state
▸ Wrap routes/components in a container component
▸ Container component accepts list of required roles &
conditionally renders component
27. SHIELDS UP - SECURING REACT APPS
ROLE-BASED AUTHORIZATION & ROUTING
▸ Advanced Approach
▸ Encapsulate role evaluation in a Higher Order
Component
▸ Slightly more complex to implement
▸ More reusable code
28. SHIELDS UP - SECURING REACT APPS
HIGHER ORDER COMPONENTS
▸ Not a “true” component
▸ “… a function that takes a component and returns a new
component.” (React docs)
▸ Used to avoid cross-cutting concerns in components (e.g.,
accessing external data stores, such as Redux)
29. SHIELDS UP - SECURING REACT APPS
HIGHER ORDER COMPONENTS
// This function takes a component...
function withExternalLogic(WrappedComponent, inputFunction) {
// ...and returns another component...
return class ExternalLogic extends React.Component {
constructor(props) {
super(props);
this.state = {
//set up some state
};
}
componentDidMount() {
//perform external logic by calling `inputFunction()`
}
render() {
// ... and renders the wrapped component with the fresh data!
return <WrappedComponent data={this.state.data} {...this.props} />;
}
};
}
const MyComponentWithExtLogic = withExternalLogic(
MyComponent,
(external) => external.doSomething()
);
https://reactjs.org/docs/higher-order-components.html
32. SHIELDS UP - SECURING REACT APPS
API AUTHENTICATION
▸ Once data makes it to the UI, it’s too late to secure
▸ Authorization needs to be checked at every endpoint
▸ In a microservice architecture, each service boundary
should be secured
▸ Always use HTTPS
33. SHIELDS UP - SECURING REACT APPS
SESSION AUTHENTICATION
▸ Session-based security relies on the server to store state
▸ Usually a session cookie is provided to the client
▸ Ensures that sensitive data is stored only on the server
▸ Server controls session lifetime, timeouts, etc
▸ Typically requires interaction with data layer to verify user
identity, session state, etc
34. SHIELDS UP - SECURING REACT APPS
SESSION AUTHENTICATION
via auth0.com
35. SHIELDS UP - SECURING REACT APPS
STATELESS AUTHENTICATION
▸ Stateless authentication typically relies on encrypting
session details in a token
▸ Token is provided to client upon successful login
▸ Token can contain its own expiration date, user details,
roles (scopes)
▸ Client includes token in API requests
▸ Server can verify client’s identity/authorization via token
36. SHIELDS UP - SECURING REACT APPS
STATELESS AUTHENTICATION
via auth0.com
37. SHIELDS UP - SECURING REACT APPS
STATELESS AUTHENTICATION
▸ Unauthorized request is made to
API
▸ Responds with 401
▸ Client POSTs to login endpoint
▸ Responds with authorization
token
▸ Token included in subsequent
request
▸ Responds with resource
38. SHIELDS UP - SECURING REACT APPS
JSON WEB TOKENS
▸ https://jwt.io
▸ Open, industry-standard method for representing claims
securely between two parties
▸ Typically consist of a header, payload, and signature
39. SHIELDS UP - SECURING REACT APPS
JSON WEB TOKENS
https://jwt.io/introduction/
40. SHIELDS UP - SECURING REACT APPS
STATELESS AUTH WITH JWT
DEMO
41. SHIELDS UP - SECURING REACT APPS
OAUTH2 & THIRD-PARTY AUTHENTICATION
▸ OAuth2 is a standard for authentication and secured
resource access w/o sharing credentials
https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
42. SHIELDS UP - SECURING REACT APPS
OAUTH2 & THIRD-PARTY AUTHENTICATION
▸ OAuth2 is a standard flow for authentication and secured
resource access w/o sharing credentials
▸ Many third party authentication providers on the market
▸ Doesn’t usually make sense to stand up your own
▸ https://hackernoon.com/authentication-as-a-service-an-
honest-review-of-auth0-315277abcba1
▸ https://hackernoon.com/dev-rant-stop-reinventing-user-
auth-1193b138772
45. SHIELDS UP - SECURING REACT APPS
THIRD-PARTY AUTHENTICATION
DEMO
46. SHIELDS UP - SECURING REACT APPS
SUMMARY
▸ React is largely very safe client-side attacks
▸ Always validate user input
▸ Plan routing strategies
▸ Secure your API first
▸ Don’t re-invent the wheel - leverage existing platforms for
authentication/authorization
▸ Keep checking behind your back