SecAppDev 2025 lecture details
Breaking and securing OAuth 2.0 in frontends
Using OAuth 2.0 in the frontend increases your attack surface. Learn why BFF is safer and how to defend against real-world token attacks.
Schedule TBD
Abstract
Everyone agrees that Cross-Site Scripting (XSS) is a real threat to browser-based applications, yet many underestimate its true power. The common practice of making a JavaScript frontend an OAuth 2.0 client, using techniques like refresh token rotation, fails to account for real-world attacker scenarios.
This talk demonstrates concrete attacks that bypass frontend token protections entirely. You'll learn why this pattern is risky and how a Backend-For-Frontend (BFF), as defined in the "OAuth 2.0 for Browser-based Apps" spec (co-authored by the speaker), offers a more secure approach.
Key takeaway
Frontend OAuth 2.0 patterns, even with token protections, leave apps exposed—real security comes from moving sensitive logic to a secure backend.
Content level
Deep-dive
Target audience
Anyone involved in building and securing web frontends
Prerequisites
None
Join us for SecAppDev. You will not regret it!
Grab your seat now
Philippe De Ryck
Security Expert, Pragmatic Web Security
Expertise: Web security, API security, OAuth 2.0, OpenID Connect
Join us for SecAppDev. You will not regret it!
Grab your seat nowRelated lectures
Leveraging the security model of the web
Introductory lecture by Philippe De Ryck
Web security is complex and evolving fast, with browsers playing a growing security role. This session explores core techniques to build secure apps and APIs, giving you the foundation to tackle more advanced web security topics.
Key takeaway: Learn how modern browsers approach security and how to build on that foundation to create secure web apps and APIs using proven core techniques.
Using AI to write Secure React.JS code
Deep-dive lecture by Jim Manico
In this talk, we will explore the massive potential of AI in secure code creation. This session will discuss techniques that will aid AI code creation engine to produce higher quality and more secure code.
Key takeaway: Actionable advice on using AI to generate secure code
Using WebAssembly to run, extend, and secure your app
Introductory lecture by Niels Tanis
In this session we'll dig into WASM, how it works, it's security features and how we can use it to host, extend and secure our applications by running it the WebAssembly System Interface (WASI).
Key takeaway: Understanding WASM, it's security features and how leverage those by integrating it into your application/software.