Web Directions safe 2021

Global, OnlineDec. 3 & 10 2021

security, privacy, identity for front end developers

About Safe

Until recently security, privacy and identity have been considered the responsibility of security experts, back end developers and operations. But as Browser privacy, security and identity APIs bring increasing capability to the front end, along with the power, front end developers are gaining ever more responsibility.

We've created Safe for web and front end developers, for many of whom these issues are a relatively small part of their day-to-day. Our aim is to keep front end professionals up to date with developments in privacy, security and identity technologies and practices, to help them deliver safer, more secure (and better) web experiences.

Who's it for?

Safe is for web and front end developers, engineering managers, CTOs–everyone responsible for developing web sites and applications.

In depth knowledge

All Web Directions conferences feature in-depth knowledge from real world experts. Some you'll know, many you won't, but all bring a world of experience and knowledge.

speakers and audience
  • 12+ Transformational speakers
  • 8+ Hours of content
  • 2 Deep sessions
  • 1 Extraordinary Conference

Web Directions Conffab

Stream and download nearly 1,000 presentations from hundreds of world leading experts at 50 conferences…and counting

With free and paid levels, keep up to date with all that's happening in our industry at your own pace.

Sign up Now Learn More

Re-imagined as remote-only

In response to the unique challenges of COVID-19 we transformed our conferences into remote only events. But we wanted to go way beyond what most online events delvier.

Building on the extensive work we've done with our conference presentation platform Conffab, our conferences have been re-imagined from the ground up the conference experience, not just ports of traditional conferences to the Web.

With a focus on highly engaging, expertly filmed and edited, screen-oriented presentations, alongside spaces to connect, communicate and keep in touch with everything around the conference, you'll be immersed as if you were there–maybe even more so.

How does Safe work?

Most online conferences run just like in-person conferences–one or two jam-packed days, of live streamed presentation. But with so many folks working remotely, and spending so much of their day in front of a screen we felt it was imperative to rethink this, and do something differently.

Safe takes place over 2 consecutive Fridays in late 2021. It will run for around 4 hours each session (with a bit of downtime built-in). Plus will run it 3 times so wherever you are in the world, you can participate along with your peers, from the comfort of your own home (or maybe even your office).

Extraordinary speakers

We've brought together a world–class lineup of experts, covering everything you need to know about privacy, security, identity and payments as a front end developer.

Covering

  • authentication
  • oauth
  • WebAuthn
  • Secure JavaScript
  • JWT
  • Privacy
  • Credential Management API
  • secure pipelines
  • browser security
  • XSS
  • cryptography
  • Trusted Types
  • Web Monetization
  • Interledger Protocol
  • OIDC
  • Interledger Protocol
  • PKCE
  • HTTP3 and security
  • biometrics
  • WebOTP
  • 2FA
  • more…

Featuring

Phil Nash

Phil Nash Developer Evangelist Twilio

Auth on the web: better experiences

It's a common practice to verify a phone number or implement two factor authentication by sending a one time password over SMS. We can all agree that it's a pretty terrible user experience though.

This process may increase security, but the friction can decrease conversion and the user experience in general. Android and iOS have APIs to combat this, so why not the web? In this talk we'll take a look at autocomplete and the WebOTP API to see how the web platform can help us build secure flows and a better experience all round.

Read More

Kris Kowal

Kris Kowal Software Engineer Agoric

Hardened JavaScript

Running other people's code is dangerous and some people will even tell you that you shouldn't do it. I'm here to tell you that actually, you can run other people's code safely. The solution is hardened JavaScript.

Read More

Jessica Temporal

Jessica Temporal Sr. Developer Advocate Auth0

Let's talk about JWT

JSON Web Tokens, or JWTs for short, are all over the web. They can be used to track bits of information about a user in a very compact way and can be used in APIs for authorization purposes. Join me and learn what JWTs are, what problems it resolves, and how you can use JWTs on your applications.

Read More

Robin Berjon

Robin Berjon VP Data Governance The New York Times

Getting Some Privacy on the Web

Privacy feels hard — but it doesn't need to be. If we move past a few confusing notions and the idea that we have to get everything perfectly right immediately, we can find ways to know what needs to be done and to get there step by step.

Read More

Maye Edwin

Maye Edwin Senior Software Engineer Sky.Garden

Credentials management on the modern web

With how reachable the web is, everyone is building apps that run on it to target its massive number of users. Many of these web apps require sign-ups or authentication of some form. Learn how to build your web app around one of its core tenets - safety and how you could use the Credential API to build a robust and secure web app on the modern web.

Read More

Kim Maida

Kim Maida VP of Developer Relations Ionic

The Art of Authentication & Authorization

Authentication and authorization are daunting topics for many developers. Open standards for auth are well defined, but challenging to understand; OAuth, OIDC, JWT, IETF, PKCE?! I'll demystify the specs and concepts step-by-step, giving you the knowledge you need to tackle auth in your front-end apps.

Read More

DeveloperSteve Coochin

DeveloperSteve Coochin Senior Dev Advocate Snyk

Continuous Security - Building Security into your Pipelines

In the world of continuous delivery and cloud native, the boundaries between what is our application and what constitutes infrastructure is becoming increasingly blurred. Our workloads, the containers they ship in, and our platform configuration is now often developed and deployed by the same teams, and development velocity is the key metric to success. This presents us with a challenge which the previous models of security as a final external gatekeeper step cannot keep up with. To ensure our apps and platforms are secure, we need to integrate security at all stages of our pipelines and ensure that our developers and engineering teams have tools and data which enable them to make decisions about security on an ongoing basis.

Read More

Rowan Merewood

Rowan Merewood Developer Relations Engineer Chrome

Set safer site defaults for today and tomorrow

The web has a history of being an over-sharer. Original defaults tended to allowing everything—with restrictions needing to be explicitly added by the site. Newer APIs follow the principle of least privilege, so that's better, but still have the challenge of maintaining backwards-compatibility leaves sites with a lot of responsibility to create a safe experience for visitors. We'll explore how the platform is moving to safer defaults—from phasing out third-party cookies, removing passive fingerprinting surfaces, and enforcing cross-origin isolation. Alongside these ongoing efforts, we'll also go through the changes you can make today to protect your site—from improving cookie usage to locking down your third-party interactions. We will also explore some patterns for balancing appropriate collection of user information with protecting those same users from phishing or other forms of fraud.

Read More

Matthew Kairys

Matthew Kairys Lead Software Engineer DiUS

The State of XSS: Best practices for a secure web experience

As the web continues to evolve, it’s become increasingly challenging for developers to build secure web experiences that users can trust. Cross-site scripting (XSS) attacks continue to exploit many trusted web applications today, resulting in malicious JavaScript being injected and executed within a user’s browser. This can lead to catastrophic results such as the user’s session being hijacked and having their personal data stolen. This session will help you understand the latest developments in XSS and how to follow best practices to mitigate these types of attacks. You’ll walk away with a checklist to help validate that your applications are best secured to protect your users and digital brand.

Read More

Dan Draper

Dan Draper Founder & Chief Stashie CipherStash

Introduction to cryptography on the frontend

Cryptography forms the backbone of how we securely use information online, but most developers don’t have more than a surface level understanding of cryptography. What's more, cryptography is so easy to mess up - even the experts get it wrong! In this talk, attendees will learn about the basic cryptographic algorithms, how to use cryptographic libraries correctly (and what to avoid), what common attacks you should be thinking about, and what emerging web cryptography technologies you should be paying attention to.

Read More

Bjarki Ágúst Guðmundsson

Bjarki Ágúst Guðmundsson Security Engineer Google

Eliminating XSS by adopting Trusted Types

Year after year, Cross-Site Scripting (XSS) continues to be the most expensive type of web vulnerability found in bug bounty programs. The most common variant of XSS occurs on the client side, when untrusted user input is passed to dangerous DOM APIs. Trusted Types is a novel web browser API designed to eliminate DOM-based XSS. It locks down dangerous DOM sinks, asking developers to prove that input is safe by using an appropriate security policy to avoid triggering a Trusted Types violation. Analyzing results from Google's Vulnerability Reward Program, it has been shown to prevent at least 61% of DOM-based XSS that Google's static code analysis pipeline missed. In this talk we show how web applications can significantly strengthen their security posture against DOM-based XSS by adopting Trusted Types, as well as the steps required to identify, fix, and prevent future Trusted Types violations.

Read More

Alex Lakatos

Alex Lakatos Technology Lead Interledger Foundation

Pay the Web Forward

Trying to get paid on the Web today, as a creator, is broken and unfair. 70% of ad spend globally goes to only 2 platforms. Until recently, the Web couldn't natively compete.

A new W3C Standard proposal, Web Monetization, uses the Interledger Protocol to enable developers like you to make money from your work in an open, native, and seamless way. And all that with as little as a single line of HTML!

Read More

Robin Marx

Robin Marx Postdoctoral researcher KU Leuven

HTTP/3: Fast and Secure, but Complex

TBF

Read More

Kelley Robinson

Kelley Robinson Account Security Developer Evangelist

Auth on the web: better authentication

New technology beyond is challenging the premise that we have to choose between more friction or more security for authenticating users. This talk will explore the benefits and drawbacks of frictionless authentication options beyond traditional one-time passcodes like biometrics, contextual data, or using devices as secure keys.

Voice recognition in call centers saves both the user and the agent time and frustration. IP address validation is a fast way to trigger additional checks. Device fingerprinting provides a seamless user experience for repeat visitors.

These kinds of frictionless background authentication checks have been deployed to increase trust and improve user experience but aren't a perfect solution: algorithms have bias, IP addresses can be spoofed, and people lose devices.

This talk will walk through three categories of frictionless authentication: biometrics, contextual data, and using devices as keys. We'll discuss the pros and cons of different solutions, including how to make your users feel secure when they don't see the security happening. Finally, we'll offer recommendations for adding frictionless authentication to your application.

Read More

Diversity Scholarships

We have diversity scholarships available for all our events. These provide full attendance just like any other attendee. We don't draw attention to those who have received a scholarship, but do look to make connections between them, and with our diversity sponsors, to help ensure the most valuable possible experience.

Our Scholarships focus on people who are unemployed, under-employed, self employed or in the early stages (up to 3 years) of their careers who identify as belonging to a group or groups under-represented at events like ours, and who might otherwise find it difficult to afford to attend.

Read more and apply at our diversity page.

Our family of world leading front end developer conferences

Web Directions hover 2022

The conference CSS deserves

Online, globallyApril 2022

Learn More

Web Directions lazy load 2022

a conference on front end performance

Online, globallyMay 2022

Learn More

Web Directions global scope 2022

a conference all about JavaScript

Online, globallyJuly 2022

Learn More

Web Directions Code 2023

a conference on progressive web apps and web platform

Online, globallyearly 2023

Learn More

Web Directions aaa 2023

accessibility engineering for front end developers

Online, globallyearly 2023

Learn More

Web Directions Safe 2023

privacy, security, identity for front end developers

Online, globallyearly 2023

Learn More

Web Directions remixed 2023

The best of 2022, remixed, and free!

Online, globally 2023

Learn More

Partners

We work closely with our partners and their technologies to deliver world leading online conferences.

Contact us for more on how we work can work with you to help you be even more awesome.

Praise for past Web Directions events

Phil Whitehouse
Web Directions is the must-attend event of the year for anyone serious about web development.

Phil Whitehouse,
Innovation Lead DigitasLBi

Ethan Marcotte
I’ve been admiring the Web Directions events for years, and was honored to be part… What a fantastic event!

Ethan Marcotte,
inventor "responsive Web design"

Dave Greiner
Out of any conference, Web Directions is far and away our favourite

Dave Greiner,
founder Campaign Monitor

About Us

Co-founded and now run by John Allsopp, Web Directions has for nearly 20 years brought together leading developers, engineers, visual, IxD, UX and product designers, Art and Creative Directors, product managers indeed everyone involved in producing web and digital products to learn from one another, and the World's leading experts across this vast field.

We spend our lives thinking about what comes next, keeping up with trends in technology, practices and processes, and filtering the hype, to make sure you don't miss trends that matter, and don't waste time on hype that doesn't.

We promise attending one of our events will leave you significantly better versed in the challenges you face day to day, and in solutions for addressing them.

vignettes from our events, social, speakers and more. Includes Hannah Donovan skylarking.

John Allsopp

John Allsopp has been working on the Web for nearly 30 years. He's been responsible for innovative developer tools such as Style Master, X-Ray and many more. He's spoken at numerous conferences around the World and delivered dozens of workshops in that time as well.

His writing includes two books, including Developing With Web Standards and countless articles and tutorials in print and online publications.

His "A Dao of Web Design" published in 2000 is cited by Ethan Marcotte as a key influence in the development of Responsive Web Design, who's acclaimed article in 2010 begins by quoting John in detail, and by Jeremy Keith as "a manifesto for anyone working on the Web".

Code of Conduct

For over a decade, we've worked hard to create inclusive, fun, inspring and safe events for the Web Industry.

As part of our commitment to these values, we've adopted a code of conduct for all involved: ourselves, our speakers, our partners and our audience.

If you have any concern or feedback, please don't hesitate to contact us.