

Slides and video from Spike Brehm's tech talk: Building Single-Page Apps - frontendbeauty
http://nerds.airbnb.com/slides-and-video-from-spike-brehms-tech-talk

======
serialpreneur
Excellent talk. Really like how he talked about the overall architecture as
well as implementation details

------
jbredeche
Really enjoyed this talk. Good material and great presentation, thanks again!

------
mycodebreaks
what are effective ways to prevent CSRF in single-page apps?

~~~
e12e
I think the recommendation to use request tokens still stands[1].

I haven't really had the chance to dive into html5/client-side js apps yet --
but it should be possible to apply the same idea to single-page apps as well?
Perhaps even easier, as you don't need a fall back to plain http/1.1 on the
client side, as you can already assume the client is able to run javascript,
and you could do a lot of stuff to manipululate/validate tokens there.

Having a good implementation (not having to roll your own) would be good,
though. Judging by [2] you might have to implement it yourself. Although [3]
and [4] looks promising for express.js at least.

I have not had time to review this -- so preform your own due diligence.

[1] [https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_(...](https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_\(CSRF\)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern)

[2] [http://stackoverflow.com/questions/6617499/for-node-js-is-
th...](http://stackoverflow.com/questions/6617499/for-node-js-is-there-a-csrf-
token-module-that-works-with-ajax)

[3] <http://dailyjs.com/2012/09/13/express-3-csrf-tutorial/>

[4] <http://www.senchalabs.org/connect/csrf.html>

