Back to course catalog

Angular, React and Front-end Security Follow Up

  • CL-ARF
  • 1 days
  • Web, JavaScript, TypeScript


This course is the next step for our participants, who completed either our OWASP Top 10, Java Secure Coding or C# Fundamentals course. This is a follow up training, meaning that in order to attend this, everyone must already have the knowledge that is covered in the Fundamentals.

This follow-up course is tailored to participants working as full-stack or frontend developers using Angular and React. The course dives into modern browser security features, as well as framework specific countermeasures and mitigation techniques.

At the end of the training everyone has the possibility to take an exam, where they are able to measure their level of the gained knowledge.

Participants attending this course will

  • Learn client-side vulnerabilities and secure coding practices
  • Understand Content Security Policy
  • Explore the security features of Angular
  • Understand Angular's countermeasures against XSS
  • Understand Angular's countermeasures against HTTP-level vulnerabilities
  • Learn about the security of ReactJS
  • Understand React's countermeasures against XSS
  • Learn about JSON security


  • Client-side security
  • Modern browser security features
  • Introduction to Angular security
  • Protection against XSS in Angular
  • Protection against HTTP-level vulnerabilities
  • Introduction to React security

Course information


General JS development



Delivery methods

Virtual classroom

Course reviews

Table of contents

  • Day 1
  • Client-side security
    • JavaScript security
    • Same Origin Policy
    • Simple requests
    • Preflight requests
    • JavaScript usage
    • JavaScript Global Object
    • Dangers of JavaScript
    • Clickjacking
      • Clickjacking
      • Exercise – IFrame, Where is My Car?
      • Protection against Clickjacking
      • Anti frame-busting – dismissing protection scripts
      • Protection against busting frame busting
    • AJAX security
      • XSS in AJAX
      • Script injection attack in AJAX
      • Exercise – XSS in AJAX
      • XSS protection in AJAX
      • iCloud worm
      • AJAX security guidelines
  • Modern browser security features
    • SameSite Attribute
      • 3rd party cookies
    • Certificate Transparency
      • Exercise – HTTP Response Headers
    • Content Security Policy
      • Directives
      • Sources
      • Extensions
      • Exercise – CSP in Action
  • Introduction to Angular security
    • Versions of Angular
    • Data binding
    • Templating
    • Built-in security features
    • Best practices by Angular
  • Protection against XSS in Angular
    • XSS in a nutshell
    • Trusted and untrusted values
      • Inserting values into the DOM
      • Handling of templates
      • AOT template compiler
      • Ahead-of-time compilation
      • Ahead-of-time compilation phases
    • Sanitization and security contexts
      • Sanitization
      • Security contexts
      • Exercise: Security Contexts
      • Interacting with the DOM
      • Marking values as trusted
      • Exercise: Marking values as trusted
    • Enforcing Trusted Types
      • Enforcing Trusted Types
      • Configuring HTTP headers
    • Server-side XSS protection
      • Server-side template generation
  • Protection against HTTP-level vulnerabilities
    • Cross-site request forgery protection in Angular
    • Angular's XSRF protection in practice
    • XSSI protection in Angular
      • Cross-site script inclusion protection in Angular
      • Angular's XSSI protection in practice
  • Introduction to React security
    • Introduction to ReactJS
    • Protection against XSS in React
      • Cross Site Scripting (XSS) in React - 1
      • Cross Site Scripting (XSS) in React - 2
      • Cross Site Scripting (XSS) in React - 3
      • Cross Site Scripting (XSS) in React - 4
      • Case study – XSS via spoofed JSON element
        • Advanced attack abusing dangerouslySetInnerHTML

Get more information

Send inquiry