Highest Voted 'react' Questions - IT Security Stack Exchange

7

votes

1 answer

Generate CSRF token in SPA

I'm extremely confused on the topic of generating a session long CSRF token on a single page application using React. It looks like the convention is to have the server generate the CSRF token on log in, and embed the token on the login…

csrf react

asked Mar 05 '20 at 19:57

alex067

335
3
7

3

votes

3 answers

Securing client side code of react application

I'm developing application with react and all the main logic is on the client side. I want to force users to use the application only if they paid for the app subscription. Are there any methods to prevent(or harden the ability to remove certain…

authentication obfuscation react

asked Jan 10 '21 at 09:03

mikereverichi

31
4

3

votes

1 answer

Protect public(?) API endpoints

I'm building a fairly simple web application at the moment but because I have plans on turning this into sort of a multi-project portfolio app, I've decided to decouple the back-end and the front-end. That way I can easily integrate my other…

php api react

asked Jan 09 '20 at 11:21

Ecaz

33
4

3

votes

1 answer

Can an end-user modify conditional rendering in React?

On my Single Page App I am using MSAL.js to authenticate users and to also extract the groups they belong to by using Microsoft Graph endpoints. I save to a variable the Specific groups the user belongs to. According to the content of that variable,…

single-page-app react

asked Nov 23 '19 at 23:26

user5950

133
4

3

votes

1 answer

Am I safe from XSS in React as long as I don't use dangerouslySetInnerHTML?

Let's say I write a webapp using React only, never touching the DOM directly. I never use dangerouslySetInnerHTML. Do I still have to worry about XSS? Or in other words, are there any other unsafe usages of React? It would be very nice if the only…

web-application xss javascript react

asked Aug 27 '18 at 19:01

Anders

64,406
24
178
215

2

votes

2 answers

Is there a security risk in hosting an app's HTML/JavaScript payment system on a CDN?

We have a mobile app (React and Expo) in which the user is able to provide payment via Stripe. Our implementation uses a WebView which renders HTML and JavaScript content, which in turn pulls in the Stripe JavaScript client and implements the…

android mobile payment-gateway cdn react

asked Apr 30 '20 at 13:41

jlmt

123
2

2

votes

1 answer

Double JWT submit method

I'm implementing my JWT method by using the double submit method: where we separate the payload & header portion of the JWT from the signature. The header & payload is stored in a separate cookie, not HttpOnly so its accessible by the client, and…

web-application account-security session-management jwt react

asked Mar 05 '20 at 19:39

alex067

335
3
7

2

votes

1 answer

Securing a Node.js REST API for React.js webapp as well as a standalone API

I'm trying to create a secure method of authentication for my Node.js REST API that will work both for direct API requests as well as from my React.js web application. I've done some reading on how to properly store authentication tokens to protect…

javascript jwt node.js react

asked Jul 09 '19 at 16:59

vipulp

21
2

2

votes

1 answer

How is the create-react-app package tree properly sanitized?

React, and it's application creation script, create-react-app, are popular packages nowadays... and with good reason: React is a rock-star framework. From a security perspective, sanitizing all the packages that create-react-app installs seems to be…

vulnerability-scanners opensource npm react

asked Feb 01 '18 at 16:55

kmiklas

129
3

1

vote

1 answer

Can an attacker mess with a website that doesn't use a back-end server? (and how I can prevent that)

I'm developing a React web app where the user can input a .csv of their transaction data, and the app will output useful analysis that will inform their future purchase decisions. I'm planning to use an input component for the user to input their…

javascript react

asked Feb 18 '22 at 16:02

Khang

11
1

1

vote

2 answers

How to protect client server app if both: client and server - located on client side?

Frontend communicates to backend. I am a developer of frontend and backend. I want to protect my app (prohibit end user from using my app without paying). The only thing I have in mind is to have some middle point, some my server. Frontend send some…

web-application php react

asked Feb 10 '21 at 16:48

John Smith

111
3

1

vote

0 answers

Can I read environment process variables of a react client in a browser?

I'm currently doing a pentest for a client and I've come across something new to me. When I log in, I view the username/password values in burpsuite and find they are encrypted using Cryptojs. I'm looking at the debugger in the browser and come…

cryptography brute-force react

asked Nov 30 '20 at 05:40

Crashie

23
4

1

vote

1 answer

Ways to exploit a form action value when it s reflected from URI on React-Django

I am working on a security testing project, where I have noticed that the form action of a login page takes whatever is fed to URI as a parameter, the respective part of the login page is as follows:

xss django react

asked May 10 '20 at 22:06

GunG

11
1

1

vote

1 answer

React and NodeJS over TLS

I'm running a simple NodeJS REST API and a ReactJS frontend application and I want them to communicate in a secure way over TSL. I've successfully issued a certificate (DNS challenge) from Let's Encrypt and I'm currently using it for my IIS site…

tls node.js react

asked Apr 07 '20 at 10:40

Pascal

11
2

0

votes

0 answers

Using `react-oidc-context` and storing the `access_token` and `refresh_token` together

I am looking for a "best practises" approach for creating SPAs protected using OIDC + PKCE. Most of our applications are hosted on two independent web servers with a load balancer routing requests to them in a round-robin configuration. Our SPAs are…

oauth2 asp.net-core react oidc

asked Jun 22 '22 at 14:24

user1913559

3
1

1

2 Next

Questions tagged [react]