Advanced Frontend Security
The security knowledge FAANG expects from senior engineers. XSS beyond the basics — DOM clobbering, mutation XSS, trusted types. CORS internals at the header level. CSP bypass techniques and how to prevent them. Prototype pollution, supply chain attacks, subresource integrity, and the security review mindset that catches vulnerabilities before they ship.
Move past basic XSS into the attacks that actually bypass modern defenses. DOM clobbering, mutation XSS, Trusted Types, DOMPurify internals, and template injection in frontend frameworks.
Understand CORS at the protocol level. Simple vs preflight requests, every Access-Control header explained, credentials mode, and the security model behind why browsers enforce origin restrictions.
Master CSP at the directive level. Nonce vs hash strategies, strict-dynamic for safe script loading, report-uri for monitoring, and understanding bypass techniques so you can prevent them.
How prototype pollution works at the engine level, real CVEs from lodash and beyond, exploitation chains that turn property injection into XSS or RCE, and the defensive patterns that actually prevent it.
How npm supply chain attacks actually work, Subresource Integrity for third-party scripts, lockfile poisoning, dependency auditing strategies, and the security practices that protect production applications.
Where to store authentication tokens, why localStorage is dangerous, httpOnly cookies vs in-memory storage, CSRF prevention, refresh token rotation, and the session security patterns used at scale.
How clickjacking attacks work, X-Frame-Options vs CSP frame-ancestors, iframe sandbox attribute, postMessage validation, and the defense strategies that prevent UI redress attacks.
How to think like an attacker during code review, threat modeling for frontend applications, the OWASP Top 10 mapped to frontend-specific vulnerabilities, and building a security review checklist that catches real bugs.