Thomas Konrad

A Primer in Single Page Application Security (Angular, React, Vue.js)

Think your SPA is safe from XSS? Learn how modern frameworks can still leave you vulnerable and how to properly secure your application.

A Primer in Single Page Application Security (Angular, React, Vue.js)
#1about 3 minutes

Understanding single page application architecture

Single page applications improve speed and separation of concerns by rendering HTML on the client-side and fetching data via APIs.

#2about 5 minutes

The primary security threat of cross-site scripting

Cross-site scripting (XSS) is the main vulnerability in SPAs, where untrusted data is mixed with markup, leading to malicious code execution in the user's browser.

#3about 3 minutes

How Angular, React, and Vue handle innerHTML security

Angular automatically sanitizes `innerHTML` to prevent XSS, while React's `dangerouslySetInnerHTML` and Vue's `v-html` require manual care.

#4about 4 minutes

Securing dynamic attributes like href and src

Dynamic `href` attributes can execute JavaScript via `javascript:` URLs, and dynamic `src` or `style` attributes also pose XSS risks.

#5about 3 minutes

Using DOMPurify for robust HTML sanitization

Use the DOMPurify library to safely render untrusted HTML in frameworks like React and Vue, or to customize Angular's strict default sanitizer.

#6about 3 minutes

Why you should avoid direct DOM manipulation

Bypassing framework template engines by using direct DOM functions like `document.write` or `eval` reintroduces significant XSS vulnerabilities.

#7about 3 minutes

Using Content Security Policy for defense in depth

Implement a Content Security Policy (CSP) via HTTP headers to restrict script sources and disable inline scripts, providing a strong second layer of defense against XSS.

#8about 2 minutes

The future of XSS prevention with Trusted Types

The upcoming Trusted Types CSP directive will prevent strings from being passed to dangerous DOM functions, effectively creating a strongly-typed and safer DOM API.

#9about 3 minutes

A practical checklist for preventing XSS in SPAs

Follow a security checklist that includes using framework templates, sanitizing HTML with DOMPurify, and implementing a Content Security Policy.

#10about 3 minutes

Managing security risks in third-party dependencies

Regularly scan your project's dependencies for known vulnerabilities using tools like `npm audit` and automate the update process to mitigate risks from external code.

#11about 4 minutes

Essential web security best practices beyond SPAs

Ensure overall application security by enforcing TLS, using SameSite cookies, correctly configuring CORS, and securing WebSocket connections.

Related jobs
Jobs that call for the skills explored in this talk.

Designer

Andrew Comp

Andrew Comp
Berlin, Germany

Intermediate
Java
JavaScript

Matching moments

How modern frameworks fail to prevent all XSS attacks
04:02 MIN

How modern frameworks fail to prevent all XSS attacks

Securing Frontend Applications with Trusted Types

Unlock full access

Log in or set up an account to access this feature and more.

How SPAs came to dominate frontend development
01:22 MIN

How SPAs came to dominate frontend development

Snappy UI needs no Single-Page Application

Unlock full access

Log in or set up an account to access this feature and more.

Q&A on framework comparisons and advanced concepts
13:26 MIN

Q&A on framework comparisons and advanced concepts

Securing Frontend Applications with Trusted Types

Unlock full access

Log in or set up an account to access this feature and more.

The hidden complexities of single-page applications
04:25 MIN

The hidden complexities of single-page applications

Why HTMX is crushing React, Vue & Svelte.

Unlock full access

Log in or set up an account to access this feature and more.

Frontend developers now share responsibility for application security
02:37 MIN

Frontend developers now share responsibility for application security

Security in modern Web Applications - OWASP to the rescue!

Unlock full access

Log in or set up an account to access this feature and more.

Q&A on common pitfalls and sanitization tools
01:03 MIN

Q&A on common pitfalls and sanitization tools

101 Typical Security Pitfalls

Unlock full access

Log in or set up an account to access this feature and more.

Questioning the default choice of SPAs for web development
02:19 MIN

Questioning the default choice of SPAs for web development

Why HTMX is crushing React, Vue & Svelte.

Unlock full access

Log in or set up an account to access this feature and more.

Common accessibility challenges in React SPAs
03:43 MIN

Common accessibility challenges in React SPAs

Accessibility in React Application

Unlock full access

Log in or set up an account to access this feature and more.

Featured Partners

Related Videos

See all videos
Securing Frontend Applications with Trusted Types45:19

Securing Frontend Applications with Trusted Types

Philippe De Ryck

Cross Site Scripting is yesterday's news, isn't it?30:54

Cross Site Scripting is yesterday's news, isn't it?

Martina Kraus

Why I Recommend Svelte to Every New Web Developer31:21

Why I Recommend Svelte to Every New Web Developer

Markus Hatvan

Snappy UI needs no Single-Page Application40:24

Snappy UI needs no Single-Page Application

Clemens Helm

Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

SEO in Angular? No big deal with SSR and Angular Universal 44:00

SEO in Angular? No big deal with SSR and Angular Universal

Martina Kraus

Vuejs and TypeScript- Working Together like Peanut Butter and Jelly44:31

Vuejs and TypeScript- Working Together like Peanut Butter and Jelly

Rob Richardson

You click, you lose: a practical look at VSCode's security29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
LM
Luis Minvielle
The Best 7 Frontend Frameworks for Developers in 2025
Which frontend frameworks should developers focus on in 2025? We’re listing them for you and showing advantages and drawbacks. You’ll notice we included some libraries as well, because you can’t miss those in 2025.What is the best front end framework...
The Best 7 Frontend Frameworks for Developers in 2025
Dev Digest 105 - Security First
Last Friday's Dev Digest was mostly about security and game topics, so let's take a look what you didn't get in your inbox. We also covered some brand new online courses to get started as a developer or refresh your knowledge. And we wrapped up CODE1...
Dev Digest 105 - Security First
LM
Luis Minvielle
10 Developer Websites in 2023
As a web developer, you're always investigating how to level up your skills and streamline your workflow. That's why we've gathered a collection of 10 innovative tools that are guaranteed to boost your productivity, enhance your coding abilities, ele...
10 Developer Websites in 2023

From learning to earning

Jobs that call for the skills explored in this talk.