Thomas Konrad

A Primer in Single Page Application Security (Angular, React, Vue.js)

Think your SPA is safe from XSS? Learn how modern frameworks can still leave you vulnerable and how to properly secure your application.

A Primer in Single Page Application Security (Angular, React, Vue.js)
#1about 3 minutes

Understanding single page application architecture

Single page applications improve speed and separation of concerns by rendering HTML on the client-side and fetching data via APIs.

#2about 5 minutes

The primary security threat of cross-site scripting

Cross-site scripting (XSS) is the main vulnerability in SPAs, where untrusted data is mixed with markup, leading to malicious code execution in the user's browser.

#3about 3 minutes

How Angular, React, and Vue handle innerHTML security

Angular automatically sanitizes `innerHTML` to prevent XSS, while React's `dangerouslySetInnerHTML` and Vue's `v-html` require manual care.

#4about 4 minutes

Securing dynamic attributes like href and src

Dynamic `href` attributes can execute JavaScript via `javascript:` URLs, and dynamic `src` or `style` attributes also pose XSS risks.

#5about 3 minutes

Using DOMPurify for robust HTML sanitization

Use the DOMPurify library to safely render untrusted HTML in frameworks like React and Vue, or to customize Angular's strict default sanitizer.

#6about 3 minutes

Why you should avoid direct DOM manipulation

Bypassing framework template engines by using direct DOM functions like `document.write` or `eval` reintroduces significant XSS vulnerabilities.

#7about 3 minutes

Using Content Security Policy for defense in depth

Implement a Content Security Policy (CSP) via HTTP headers to restrict script sources and disable inline scripts, providing a strong second layer of defense against XSS.

#8about 2 minutes

The future of XSS prevention with Trusted Types

The upcoming Trusted Types CSP directive will prevent strings from being passed to dangerous DOM functions, effectively creating a strongly-typed and safer DOM API.

#9about 3 minutes

A practical checklist for preventing XSS in SPAs

Follow a security checklist that includes using framework templates, sanitizing HTML with DOMPurify, and implementing a Content Security Policy.

#10about 3 minutes

Managing security risks in third-party dependencies

Regularly scan your project's dependencies for known vulnerabilities using tools like `npm audit` and automate the update process to mitigate risks from external code.

#11about 4 minutes

Essential web security best practices beyond SPAs

Ensure overall application security by enforcing TLS, using SameSite cookies, correctly configuring CORS, and securing WebSocket connections.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

How modern frameworks fail to prevent all XSS attacks
04:02 MIN

How modern frameworks fail to prevent all XSS attacks

Securing Frontend Applications with Trusted Types

How SPAs came to dominate frontend development
01:22 MIN

How SPAs came to dominate frontend development

Snappy UI needs no Single-Page Application

Q&A on framework comparisons and advanced concepts
13:26 MIN

Q&A on framework comparisons and advanced concepts

Securing Frontend Applications with Trusted Types

The hidden complexities of single-page applications
04:25 MIN

The hidden complexities of single-page applications

Why HTMX is crushing React, Vue & Svelte.

Frontend developers now share responsibility for application security
02:37 MIN

Frontend developers now share responsibility for application security

Security in modern Web Applications - OWASP to the rescue!

Q&A on common pitfalls and sanitization tools
01:03 MIN

Q&A on common pitfalls and sanitization tools

101 Typical Security Pitfalls

Questioning the default choice of SPAs for web development
02:19 MIN

Questioning the default choice of SPAs for web development

Why HTMX is crushing React, Vue & Svelte.

Common accessibility challenges in React SPAs
03:43 MIN

Common accessibility challenges in React SPAs

Accessibility in React Application

Featured Partners

Related Videos

See all videos
Securing Frontend Applications with Trusted Types
45:19

Securing Frontend Applications with Trusted Types

Philippe De Ryck

Cross Site Scripting is yesterday's news, isn't it?
30:54

Cross Site Scripting is yesterday's news, isn't it?

Martina Kraus

Snappy UI needs no Single-Page Application
40:24

Snappy UI needs no Single-Page Application

Clemens Helm

Why I Recommend Svelte to Every New Web Developer
31:21

Why I Recommend Svelte to Every New Web Developer

Markus Hatvan

Security in modern Web Applications - OWASP to the rescue!
26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

Accessibility in React Application
30:07

Accessibility in React Application

Julia Undeutsch

SEO in Angular? No big deal with SSR and Angular Universal
44:00

SEO in Angular? No big deal with SSR and Angular Universal

Martina Kraus

Vuejs and TypeScript- Working Together like Peanut Butter and Jelly
44:31

Vuejs and TypeScript- Working Together like Peanut Butter and Jelly

Rob Richardson

Related Articles

View all articles
Benjamin Ruschin
The HTML Elements That You’re Probably Over-Engineering
As frameworks have become more and more commonplace in the world of web development, so too has the over-engineering of features made possible by our humble old friend, HTML. The mental models that come with using state management in React, Vue and o...
The HTML Elements That You’re Probably Over-Engineering
Daniel Cranney
Why Developers are So Excited About Pretext
Pretext is a new JavaScript and TypeScript library from Cheng Lou - previously a React core developer - that crossed 7,000 GitHub stars in three days to get the entire tech world talking recently. The demos that spread were visually striking: dragon...
Why Developers are So Excited About Pretext
Christina Schaireiter
Security Basics for Vibe Coders
Vibe coding has become a popular trend in the tech world. With so many tools now available for both developers and non-developers, it’s easier than ever to build projects using natural language, in some cases without touching a line of code along the...
Security Basics for Vibe Coders
Daniel Cranney, Chris Heilmann
Dev Digest 215: Agent Memory, JS2026, Googlebot Analysis & Canvas❤️HTML
Inside last week’s Dev Digest 215 . 🗿 Make AI talk like a caveman 🧠 A guide to context engineering for LLMs 🤖 Simon Willison on agentic engineering 🔐 Axios supply chain attack post mortem 🛡️ Designing AI agents to resist prompt injection 🎨 HTML in c...
Dev Digest 215: Agent Memory, JS2026, Googlebot Analysis & Canvas❤️HTML

From learning to earning

Jobs that call for the skills explored in this talk.

Frontend Developer

Frontend Developer

Turboneer LLC
Mount Morris, United States of America

Remote
25-40K
Intermediate
React
Vue.js
Angular
+2