Questions tagged [react]

React is a JavaScript library for building user interfaces.

25 questions
7
votes
1 answer

Generate CSRF token in SPA

I'm extremely confused on the topic of generating a session long CSRF token on a single page application using React. It looks like the convention is to have the server generate the CSRF token on log in, and embed the token on the login…
alex067
  • 335
  • 3
  • 7
3
votes
3 answers

Securing client side code of react application

I'm developing application with react and all the main logic is on the client side. I want to force users to use the application only if they paid for the app subscription. Are there any methods to prevent(or harden the ability to remove certain…
3
votes
1 answer

Protect public(?) API endpoints

I'm building a fairly simple web application at the moment but because I have plans on turning this into sort of a multi-project portfolio app, I've decided to decouple the back-end and the front-end. That way I can easily integrate my other…
Ecaz
  • 33
  • 4
3
votes
1 answer

Can an end-user modify conditional rendering in React?

On my Single Page App I am using MSAL.js to authenticate users and to also extract the groups they belong to by using Microsoft Graph endpoints. I save to a variable the Specific groups the user belongs to. According to the content of that variable,…
user5950
  • 133
  • 4
3
votes
1 answer

Am I safe from XSS in React as long as I don't use dangerouslySetInnerHTML?

Let's say I write a webapp using React only, never touching the DOM directly. I never use dangerouslySetInnerHTML. Do I still have to worry about XSS? Or in other words, are there any other unsafe usages of React? It would be very nice if the only…
Anders
  • 64,406
  • 24
  • 178
  • 215
2
votes
2 answers

Is there a security risk in hosting an app's HTML/JavaScript payment system on a CDN?

We have a mobile app (React and Expo) in which the user is able to provide payment via Stripe. Our implementation uses a WebView which renders HTML and JavaScript content, which in turn pulls in the Stripe JavaScript client and implements the…
jlmt
  • 123
  • 2
2
votes
1 answer

Double JWT submit method

I'm implementing my JWT method by using the double submit method: where we separate the payload & header portion of the JWT from the signature. The header & payload is stored in a separate cookie, not HttpOnly so its accessible by the client, and…
2
votes
1 answer

Securing a Node.js REST API for React.js webapp as well as a standalone API

I'm trying to create a secure method of authentication for my Node.js REST API that will work both for direct API requests as well as from my React.js web application. I've done some reading on how to properly store authentication tokens to protect…
vipulp
  • 21
  • 2
2
votes
1 answer

How is the create-react-app package tree properly sanitized?

React, and it's application creation script, create-react-app, are popular packages nowadays... and with good reason: React is a rock-star framework. From a security perspective, sanitizing all the packages that create-react-app installs seems to be…
kmiklas
  • 129
  • 3
1
vote
1 answer

Can an attacker mess with a website that doesn't use a back-end server? (and how I can prevent that)

I'm developing a React web app where the user can input a .csv of their transaction data, and the app will output useful analysis that will inform their future purchase decisions. I'm planning to use an input component for the user to input their…
Khang
  • 11
  • 1
1
vote
2 answers

How to protect client server app if both: client and server - located on client side?

Frontend communicates to backend. I am a developer of frontend and backend. I want to protect my app (prohibit end user from using my app without paying). The only thing I have in mind is to have some middle point, some my server. Frontend send some…
John Smith
  • 111
  • 3
1
vote
0 answers

Can I read environment process variables of a react client in a browser?

I'm currently doing a pentest for a client and I've come across something new to me. When I log in, I view the username/password values in burpsuite and find they are encrypted using Cryptojs. I'm looking at the debugger in the browser and come…
Crashie
  • 23
  • 4
1
vote
1 answer

Ways to exploit a form action value when it s reflected from URI on React-Django

I am working on a security testing project, where I have noticed that the form action of a login page takes whatever is fed to URI as a parameter, the respective part of the login page is as follows:
GunG
  • 11
  • 1
1
vote
1 answer

React and NodeJS over TLS

I'm running a simple NodeJS REST API and a ReactJS frontend application and I want them to communicate in a secure way over TSL. I've successfully issued a certificate (DNS challenge) from Let's Encrypt and I'm currently using it for my IIS site…
Pascal
  • 11
  • 2
0
votes
0 answers

Using `react-oidc-context` and storing the `access_token` and `refresh_token` together

I am looking for a "best practises" approach for creating SPAs protected using OIDC + PKCE. Most of our applications are hosted on two independent web servers with a load balancer routing requests to them in a round-robin configuration. Our SPAs are…
1
2