Questions tagged [single-page-app]

A single page app (SPA) is a web application using only one HTML page. JavaScript is commonly used to modify the single page, and AJAX to fetch data from the server.

71 questions
71
votes
3 answers

Securing a JavaScript Single Page App with RESTful backend

I'm currently in the process of building a JavaScript SPA and have been researching how to secure it. There is currently as RESTful API that is being completely interacted with through AJAX. We also have mobile clients that interact with this API,…
Jon Wingfield
  • 821
  • 1
  • 7
  • 5
32
votes
2 answers

CSRF protection and Single Page Apps

I am in the process of writing a thick client web app using Angular.js (single page app) and was wondering what are the best practices for securing the app using a CSRF token. Should I send a CSRF token when the app is first loaded then re use that…
Olivier Lalonde
  • 5,039
  • 8
  • 31
  • 35
31
votes
3 answers

Secure a publicly accessible REST api

We're building a public single page app in JavaScript that talks to a back-end REST service. What we want is for that REST-service to be only accessible from the single page app. Since it's a public website, we can't / don't want the user to enter…
Kenneth
  • 413
  • 1
  • 4
  • 6
20
votes
1 answer

OIDC Flow for SPA and RESTful API

I'm building a Single-Page App (SPA) and a RESTful API. The API needs security - certain users can only make calls to certain endpoints. I have an external Identity Provider (IdP (Okta)) that I want the user to authenticate with using the OpenId…
Steve
  • 313
  • 1
  • 2
  • 7
15
votes
6 answers

Preventing users from tampering with input

Let's say that I have a single-page web app written in JavaScript and a server-side API, both changeable by me. The app calculates some values based on user input and POSTs these to the API. The values are based on user input but do not contain user…
TrueWill
  • 315
  • 2
  • 11
12
votes
2 answers

Secure REST API and Single Page App by using external OAuth 2 Authorization Code

I am trying to understand how to implement an OAuth 2 Authorization Code flow when having both a single page JS app and a REST API. The aim is to secure access to the REST API by offloading authentication to the OAuth provider. Currently my flow…
Anvar Karimson
  • 223
  • 1
  • 2
  • 4
9
votes
2 answers

Can XHR patching prevent XSS side-effects?

XSS & Single-Page Apps I'm researching on web security, and have seen that token based authentication is good for CSRF prevention, distributed system architectures and processing performance. But another problem is XSS. Not specifically talking…
Hadrian
  • 193
  • 4
8
votes
4 answers

Why do we trust session info over the wire but not an OAuth access token?

I've been spending a lot of time looking into building an API that needs to be accessible by a single page JavaScript application and how to make it as secure as possible. A lot of what I'm reading about standards like OAuth suggest that you never…
adam
  • 189
  • 2
7
votes
2 answers

How to ensure that only my single page app can make requests to an API

I have a REST API that can potentially serve multiple web clients. I want to ensure that only my single page app on my-one-and-only-web-cleint.com can make requests to my API. How do I do this? Right now there isn't much to stop someone from copying…
garbage collection
  • 173
  • 1
  • 1
  • 5
6
votes
2 answers

Auth code grant /w PKCE for SPAs

I'm a security newb trying to find out how to secure my SPAs, and am totally lost in the forest of RFCs, BCPs, drafts and blog posts. If possible, I'd like to serve my SPAs statically from a cdn. At first I was uplifted by this article from Okta…
AleksG
  • 161
  • 3
6
votes
2 answers

JSON Web Token Security

I've been working with JSON Web Tokens and reading up on how to make an app more secure. When a user is a authorized, the token is signed, and a token will be placed in the Authorization Header. This token can then be placed in localStorage,…
My Name
  • 61
  • 1
5
votes
1 answer

Split a JWT between payload and signature

Context: I'm looking at storage solutions for JWT tokens on a single page application. Storing the JWT in the local storage is unsafe and prone to XSS attacks. Storing the JWT in a secure / HTTP only cookie is safer, but prone to CSRF attacks. I'm…
HHK
  • 153
  • 4
5
votes
2 answers

Is CSRF possible in an SSR SPA with cookie authentication?

I have a Single-Page Application, which is basically a consumer to my API which authenticates using the Authorization header. Now because I do server-side-rendering, I need to authenticate on the initial request, which means I need to use cookies to…
OverCoder
  • 155
  • 1
  • 5
4
votes
3 answers

What's the best way to secure the responses in a single page web app after logout?

I've read some of the great responses to storing and passing session keys in a single page web application (i.e., a web "site" that runs mostly on the client-side, getting data from the server by using an API). But my question is about securing…
Yuri
  • 141
  • 1
4
votes
1 answer

Does using token-based auth make CSRF checks on login unnecessary?

Based on my understanding, avoiding the use of cookies as an authentication mechanism prevents CSRF vulnerabilities entirely (namely token based authentication in an SPA), when authenticated. Does this also render CSRF checks on the login page / API…
1
2 3 4 5