Client-side security

Key points:
-https (strict-transport-security header)
-xss
-escaping input
-filtering output
-content-security-policy (no inline scripts), report only mode possible
-sandboxing iframes with minimal rights


presentation - Mike West