You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A developer-focused overview of 47 security concepts spanning JavaScript, frontend, and frontend-backend communication. Each concept links to a dedicated deep-dive file with explanations, attack scenarios, code examples (vulnerable vs. secure), and mitigations. Coverage aims to be broad rather than exhaustive β treat it as a structured starting point, not a definitive specification.
Architecture
This repo ships two presentation formats built from the same concepts:
slides.html (Reveal.js)
slides.md (Slidev)
Purpose
Canonical presentation, deployed to GitHub Pages
Companion deck, hot-reload local dev
Navigation
2D β Right = next category, Down = concept slides
Linear
Deploy
Automatic via deploy.yml
npm run dev or manual build
PDF export
npm run export:reveal-pdf
npm run export:slidev-pdf
slides.html is the source of truth. When updating content, update both.
Note on file numbering: concepts 12 (LDAP Injection) and 26 (Certificate Pinning) were intentionally removed as out-of-scope for modern JS stacks. Their numbers were not reused to avoid breaking existing links. The gaps are not errors.
How to Use This Reference
Each entry includes a one-to-two sentence summary. Click the link to open the detailed file for that concept, which contains: a full explanation, how attacks work, code examples (vulnerable vs. secure), and mitigations.
Attackers inject malicious scripts into trusted web pages, running in the victim's browser to steal data or hijack sessions. Comes in three forms: Stored, Reflected, and DOM-based.
A malicious page overlays a transparent iframe over a legitimate site, tricking users into clicking UI elements they can't see. Prevented with X-Frame-Options and CSP frame-ancestors.
Attackers inject properties into JavaScript's Object.prototype, altering the behavior of all objects in the app β often leading to XSS or remote code execution.
Storing sensitive tokens or PII in localStorage, sessionStorage, or insecure cookies exposes them to XSS theft. HttpOnly cookies and short-lived tokens are safer alternatives.
A URL parameter controls where the app redirects users; attackers exploit this to send victims to phishing sites while appearing to come from a trusted domain.
Module Federation and similar MFE architectures introduce cross-remote trust boundaries; an untrusted remote can escalate privileges, poison shared state, or inject scripts into the host shell.
Each major frontend framework has specific pitfalls β dangerouslySetInnerHTML, v-html, Angular's bypassSecurityTrustHtml, SSR hydration mismatches β that re-open XSS channels if misused.
Unsanitized user input is embedded in SQL queries, allowing attackers to read, modify, or delete database data. Parameterized queries and ORMs eliminate this risk.
Untrusted input rendered directly into HTML templates (server-side or client-side) can lead to XSS or, in server-side template engines, full remote code execution (SSTI).
A malicious site tricks the victim's authenticated browser into making state-changing requests to another site. Mitigated with CSRF tokens and SameSite cookie attributes.
Browser policy that restricts cross-origin HTTP requests; misconfigured CORS headers (e.g., Access-Control-Allow-Origin: * with credentials) expose APIs to unauthorized access.
The server is tricked into making HTTP requests to internal services on the attacker's behalf, potentially exposing cloud metadata endpoints or internal APIs.
OAuth flows can be exploited via authorization code interception, open redirects in redirect_uri, token leakage, and PKCE bypass if not implemented correctly.
WebSocket connections bypass some browser security policies; they require origin validation, authentication tokens, and protection against message injection.
The browser's native crypto.subtle API offers secure primitives (AES-GCM, PBKDF2, ECDH), but misuse β weak IVs, ECB mode, Math.random for keys, key storage in localStorage β undermines all security guarantees.
Attackers inject unkeyed request headers (e.g. X-Forwarded-Host) to make CDN caches serve malicious responses to all users; cache deception tricks caches into storing private data at predictable public URLs.
Deserializing attacker-controlled data (JSON, XML, binary) without validation can lead to object injection, privilege escalation, or remote code execution.