Web Directions safe 2023

The web has a history of being an over-sharer. Original defaults tended to allowing everything—with restrictions needing to be explicitly added by the site. Newer APIs follow the principle of least privilege, so that's better, but still have the challenge of maintaining backwards-compatibility leaves sites with a lot of responsibility to create a safe experience for visitors.

We'll explore how the platform is moving to safer defaults—from phasing out third-party cookies, removing passive fingerprinting surfaces, and enforcing cross-origin isolation. Alongside these ongoing efforts, we'll also go through the changes you can make today to protect your site—from improving cookie usage to locking down your third-party interactions. We will also explore some patterns for balancing appropriate collection of user information with protecting those same users from phishing or other forms of fraud.

In the world of continuous delivery and cloud native, the boundaries between what is our application and what constitutes infrastructure is becoming increasingly blurred. Our workloads, the containers they ship in, and our platform configuration is now often developed and deployed by the same teams, and development velocity is the key metric to success.

This presents us with a challenge which the previous models of security as a final external gatekeeper step cannot keep up with. To ensure our apps and platforms are secure, we need to integrate security at all stages of our pipelines and ensure that our developers and engineering teams have tools and data which enable them to make decisions about security on an ongoing basis.

Running other people's code is dangerous and some people will even tell you that you shouldn't do it. I'm here to tell you that actually, you can run other people's code safely. The solution is hardened JavaScript.

JSON Web Tokens, or JWTs for short, are all over the web. They can be used to track bits of information about a user in a very compact way and can be used in APIs for authorization purposes. Join me and learn what JWTs are, what problems it resolves, and how you can use JWTs on your applications.

As the web continues to evolve, it’s become increasingly challenging for developers to build secure web experiences that users can trust. Cross-site scripting (XSS) attacks continue to exploit many trusted web applications today, resulting in malicious JavaScript being injected and executed within a user’s browser. This can lead to catastrophic results such as the user’s session being hijacked and having their personal data stolen.

This session will help you understand the latest developments in XSS and how to follow best practices to mitigate these types of attacks. You’ll walk away with a checklist to help validate that your applications are best secured to protect your users and digital brand.

Year after year, Cross-Site Scripting (XSS) continues to be the most expensive type of web vulnerability found in bug bounty programs. The most common variant of XSS occurs on the client side, when untrusted user input is passed to dangerous DOM APIs. Trusted Types is a novel web browser API designed to eliminate DOM-based XSS.

It locks down dangerous DOM sinks, asking developers to prove that input is safe by using an appropriate security policy to avoid triggering a Trusted Types violation. Analyzing results from Google's Vulnerability Reward Program, it has been shown to prevent at least 61% of DOM-based XSS that Google's static code analysis pipeline missed. In this talk we show how web applications can significantly strengthen their security posture against DOM-based XSS by adopting Trusted Types, as well as the steps required to identify, fix, and prevent future Trusted Types violations.

Authentication and authorization are daunting topics for many developers. Open standards for auth are well defined, but challenging to understand; OAuth, OIDC, JWT, IETF, PKCE?! I'll demystify the specs and concepts step-by-step, giving you the knowledge you need to tackle auth in your front-end apps.

It's a common practice to verify a phone number or implement two factor authentication by sending a one time password over SMS. We can all agree that it's a pretty terrible user experience though.

This process may increase security, but the friction can decrease conversion and the user experience in general. Android and iOS have APIs to combat this, so why not the web? In this talk we'll take a look at autocomplete and the WebOTP API to see how the web platform can help us build secure flows and a better experience all round.

New technology beyond is challenging the premise that we have to choose between more friction or more security for authenticating users. This talk will explore the benefits and drawbacks of frictionless authentication options beyond traditional one-time passcodes like biometrics, contextual data, or using devices as secure keys.

Voice recognition in call centers saves both the user and the agent time and frustration. IP address validation is a fast way to trigger additional checks. Device fingerprinting provides a seamless user experience for repeat visitors.

These kinds of frictionless background authentication checks have been deployed to increase trust and improve user experience but aren't a perfect solution: algorithms have bias, IP addresses can be spoofed, and people lose devices.

This talk will walk through three categories of frictionless authentication: biometrics, contextual data, and using devices as keys. We'll discuss the pros and cons of different solutions, including how to make your users feel secure when they don't see the security happening. Finally, we'll offer recommendations for adding frictionless authentication to your application.

With how reachable the web is, everyone is building apps that run on it to target its massive number of users. Many of these web apps require sign-ups or authentication of some form. Learn how to build your web app around one of its core tenets - safety and how you could use the Credential API to build a robust and secure web app on the modern web.

Cryptography forms the backbone of how we securely use information online, but most developers don’t have more than a surface level understanding of cryptography. What's more, cryptography is so easy to mess up - even the experts get it wrong!

In this talk, attendees will learn about the basic cryptographic algorithms, how to use cryptographic libraries correctly (and what to avoid), what common attacks you should be thinking about, and what emerging web cryptography technologies you should be paying attention to.

Trying to get paid on the Web today, as a creator, is broken and unfair. 70% of ad spend globally goes to only 2 platforms. Until recently, the Web couldn't natively compete.

A new W3C Standard proposal, Web Monetization, uses the Interledger Protocol to enable developers like you to make money from your work in an open, native, and seamless way. And all that with as little as a single line of HTML!

TBF

Privacy feels hard — but it doesn't need to be. If we move past a few confusing notions and the idea that we have to get everything perfectly right immediately, we can find ways to know what needs to be done and to get there step by step.