JSFoo 2018

On JavaScript and Security

Building a secure BFF at Postman

Submitted by Ankit Muchhala (@ankit-muchhala) on Thursday, 30 August 2018


Technical level



Full Talk


Confirmed & Scheduled

View proposal in schedule

Vote on this proposal

Login to vote

Total votes:  +1


Introduce audience to security implications while writing application code for public facing gateway services. The talk will not be a tutorial on security best practices. Instead, it will focus on building an understanding for developing secure applications and outline ways to do so.

Key takeaways:

  1. How to build secure APIs
  2. Understand security challenges while building BFF (Backend For Frontend)
  3. Security should be a part of writing code - not a separate


BFF Introduction

  • Rise of BFFs in microservices architecture
  • Purpose of these gateway services
  • Security challenges and considerations

Security core components in terms of an API

  • Confidentiality
  • Integrity
  • Availability

Responsibilities of a BFF

  • Managing public access to internal services
  • Validation and sanitisation on requests and responses
  • Deferring certain responsibilities to downstream services

Building with security in mind

  • Architecture as a forcing function for security
  • Principle of least privilege
  • Content security
  • Testing for security

Case Study - Postman BFF

  • Abstracting out security from business logic
  • Security as development stage
  • Enforcing best practices using tests and linting
  • Continuous monitoring for security


The talk assumes basic familiarity with HTTP concepts.

Speaker bio

I am a Software Developer at Postman. I have been developing web applications for the past 4 years. Currently, I spend my time building, optimizing and maintaining the web products of Postman.





  • 1
    Eddie yadav (@eddie007) 23 days ago

    I think you have to give a review of this online feature which is really helpful for a good conversation with users and articles.http://windowstuts.net/remember-passwords And your choice always welcomes Microsoft saved passwords on the side.

Login with Twitter or Google to leave a comment