node.js, socket.io, express and other technologies are simply awesome for the real time web. They are enabling front end javascript developers to take their skills to the server. This does not come without a price. Adam will discuss his experiences and thoughts on securing real time systems built on some of these technologies, the talk hopes to promote positive discussion not finger pointing of how we as a community can avoid the pitfalls of the past and make the realtime web a safer place.
Adam is the co-founder of nGenuity where he focuses on helping developers ship secure code.
8. A security lesson: instead of
action and safe_action,
your API should be action
and unsafe_action.
Safe should be the default /
via @jezdez
Keeping it Realtime // @adam_baldwin
17. If you fell asleep;
-Set socket.io origins
-Properly authorize sockets
-Use CSRF tokens
-Contextual Output encoding
-Do all this by default
-Write better docs
Keeping it Realtime // @adam_baldwin