 Hi, I'm money she covered from publicisapient. I'm going to talk about a practical guide to securing your modern web application, building universal JavaScript based applications. Even if it is based on headless architecture or not, right? So many times when it comes to a developer or an architect, we all everybody will say make a secure web application. If it is a financial application or a retail based application, but nobody tells us how. So I'll give an example. I was working for a product and there was a sequel injection attack when I was 10, 15 years back and they said, fix this. And I didn't even know about what the sequel injection talking about how to fix that, right? So over a period of time, I gain gain gain the experience and found out an experience and researched around all those topics and collected a list kind of thing. So I will be sharing that with you. So why security is important? Have you heard this new term called data is money? Right? So when data beach is there, it could cause the whole business jobs, right? So sensitive data, personal identity, if lost could cost a lot. Now, because we have a time constraint of five minutes, I would start with the takeaways, right? We can probably know more about the details through the presentation. I have already uploaded it on the slideshare. You can download that. I will share the QR code as well. So the takeaways I would say you should have a checklist to follow. The checklist should be like consider security as part of your architectural discussion and design. Second one would be validate each and every input, sanitize your input and code them and crypt them and do not trust any data or anybody for that matter, right? So be pessimistic about building your application. You should be aware of about what the input that you're getting and what is the expect output expected and do not allow any other output or input. Use proven libraries for session management. Well, what happens is we go and create our custom encryption algorithms because we wanted to experiment with that and that that fails us in terms of security. Do not leak PII information, personal identification information in your logs. Sometimes what happens is just to put a lot of logs into the system. We also log headers which contain some sensitive information or even some data which contains maybe payment information, credit card information and whatnot. Set appropriate headers to achieve all these things, right? So it could be related to XSS attack. Just set appropriate headers for that. So what are the different types of flaws in the system that we usually see? These are some of the examples, but primarily two categories. One is architectural decisions that were taken and second is engineering ignorance while developing it. So a few common vulnerabilities and attacks, XSS, clickjacking, Redos, typosquating, CSRF. You might have heard about it. If not, then you can probably research around it, right? Redos is one important one because this blew my mind how a regular expression can create a denial of service attack, right? We write regular expression for our validation rules in the forms as well as for our routes, right? And this could cause the system to fall down and it becomes a single point of failure in many cases. So these are some of the solutions that I would recommend. Some other attacks like accesses through CSS, directed reversal attack, SQL injection, leaking information. So these are some of the other ones. So I think we had another session on CSP itself. Then how do you keep your servers updated, sanitize your inputs? So how do you find vulnerabilities? There should be tools to find that, right? So these are some of the tools that I could research around and figure out that I could use to find out the vulnerabilities. Now best practices always come handy when it is about security, performance, accessibility, anything related to non-functional requirement, but I believe those should be functional requirement for that matter. So use linting, whitelist your course, sanitize input, use sttp-only cookies. How do you secure headers? So how do you set secure headers? So helmet comes as a very good package in terms of middleware which you can use in your node application to secure it. It's just single line, app.use-helmet and you are secure from n number of headers or already set for your application. So I won't talk about those details. These are in part of the slides. I would share the QR link and you can download how can you implement all those things. So content security, permitted cross-domain policies, DNS privilege control, expect CT, certificate transparency, feature policy, which features the browser could probably use, right? X-frame options, strict transport security is too strict to the STTPS only. Content type options so that browsers does not sniff your data and MIME type. Then refer policy where the user is coming from in accesses protection. And how do you sanitize input? So at the node layer you can probably put a package, we are using accesses because it provides more flexibility and you can sanitize the query headers, URL, whatnot. And the last bit I would say is auditing the architectural so security, right? So what happens is before every release that happens, we should have an audit and those audit could be done through. So usually done by security experts, but you should involve the system architects and follow those threat modeling models and tools like both manual code audits. So this is the last bit I would like to say, like making secure applications should be part of every developer's DNA, right? It is not a post implementation affair that once the application is developed now you have to fix the security issues. So this is the QR code you can scan and download the slides if you need for future reference. Thank you.