Building a Better Web
June 19–20, 2017: Training
June 20–22, 2017: Tutorials & Conference
San Jose, CA

Handling authentication secrets in the browser

4:25pm–5:05pm Wednesday, June 21, 2017
Web Services and APIs
Location: 210 BF
Secondary topics:  Microservices, RESTful web, Security
Average rating: ****.
(4.00, 6 ratings)

Who is this presentation for?

  • Frontend developers, backend developers, and full stack developers

Prerequisite knowledge

  • General knowledge of web development

What you'll learn

  • Learn how to secure your application secrets


Applications that run in the browser and connect to backend services have the challenging problem of security. Given the open nature of the browser environment, where anybody can inspect or even modify a running application, it is practically impossible to hide secrets such as access tokens or passwords from a savvy user (or from the attacker that gained control of their computer).

Fortunately, there are a number of best practices and safeguards that minimize and sometimes completely eliminate the risk of an attack. Miguel Grinberg covers techniques to secure different types of web applications, from old-school thin-client apps where the server does everything to modern JavaScript rich UIs that connect to a distributed network of services.

Topics include:

  • How secrets can be attacked in the server, in the client, and during transit
  • When to store secrets in the server and when to store them in the client
  • Passwords versus tokens: When to use one or the other
  • Access tokens from third-party services such as Facebook, Twitter, and GitHub
  • JSON Web Tokens
  • Techniques to secure a login form
  • Techniques to secure asynchronous requests to backend services
  • How Rackspace protects the AWS managed apps control panel
Photo of Miguel Grinberg

Miguel Grinberg


Miguel Grinberg is a software developer at Rackspace, where he works on cloud applications. He blogs about a variety of topics, including web development, Python, robotics, photography, and the occasional movie. Miguel is the author of the O’Reilly book Flask Web Development. He lives in beautiful Portland, Oregon.