A single page app (SPA) is a web application using only one HTML page. JavaScript is commonly used to modify the single page, and AJAX to fetch data from the server.
Questions tagged [single-page-app]
71 questions
1
vote
0 answers
Oauth2.0 | How to manage user session in Single Page application running in an iframe?
I'm new to security domain, and recently I have learned about Oauth2.0/OpenID connect and JWT tokens. I have an existing REST based web application where I need to implement security.
Server
Application A: Spring boot back-end application sever,…
A.Huzaifa
- 11
- 2
1
vote
1 answer
Using a persistent httpOnly cookie for authentication? (SPA)
So I'm building an application that needs authentication, I'm wondering if there's an security concerns with using a persistent httpOnly cookie to store user authentication with a SPA? (only 1 server. OAuth is not an option) I could set the duration…
Eden Moss
- 11
- 2
1
vote
0 answers
SAML Passing a JWT token from the API to the SPA application
We are trying to implement the SAML 2.0 protocol and I stumbled upon a problem related to passing the token from the API to the client SPA application.
The authentication flow goes like this: the client is redirected to the IdP application where he…
cip123
- 11
- 2
1
vote
1 answer
Which grant type : Implicit or Auth code (with No secret key) is suitable for Single Page Application(SPA)?
I went thru multiple posts saying how implicit grant is a security risk and why auth code grant with AJAX request to Authorization server should be used after redirecting to application (without client_secret passed to Auth server).
Now in 2019…
Pratik
- 111
- 3
1
vote
2 answers
OIDC SPA Keycloak refresh_token storage location
I have Single Page Application based on Open ID Connect flow (keycloak).
I wonder what are the security considerations for refresh token storage - what are the advantages and disadvantages for storing refresh token by the web/mobile application or…
TinyAPI
- 11
- 3
1
vote
0 answers
Is the OAuth implicit flow too insecure for serverless single page web applications?
Assuming the need for OAuth
Imagine an application that is:
A single page web application hosted on S3
Authenticated using implicit OAuth flow implicit
Have the web application access resources with their JWTs
This exposes the session to the…
David Alsh
- 11
- 1
1
vote
0 answers
CSRF protection and Single Page Apps on hosted on S3 (with no backend.)
I have a webapp written in js that runs on AWS S3. There is no way to initialize a secure CSRF token on page load since there is no backend server. The token has to be retrieved via an AJAX call to my API server on a different domain. The API CORS…
zeros-and-ones
- 111
- 2
1
vote
0 answers
Restrict Public API To Access From Single App
I have a REST api on a server and an application for android phones that mostly makes calls to that api and presents the info to the user.
Because the application needs to be a quick way to lookup public info, it was required that there not be any…
Nicolás Marzano
- 11
- 2
1
vote
2 answers
Is a single page application naturally breaking the same-origin policy?
Assume that you have a web application. The backend API is deployed at api.example.com and your frontend SPA is deployed at frontend.example.com. When you open it you download all the resources to your browser. The origin is frontend.example.com,…
Qingbao
- 101
- 1
- 6
1
vote
2 answers
How to properly handle unathorized errors in SPAs
In order to prevent URL guessing for unauthorized users I will return a 404 error even if the URL exists.
It's better to always return a 404 error page even if the call is to an API?? or is better to return a JSON with a 404 in case of and API…
DGomez
- 359
- 1
- 3
- 7
1
vote
2 answers
High security application in Angular - a bad idea?
Well this is not a question of a specific problem I have it's more a general question.
Yesterday I had a little argument with a friend of mine wehter or not a "high security application" (e-Banking for example) could be implemented in Angular (not…
Jonas Wirth
- 255
- 2
- 6
1
vote
1 answer
Inject custom markup via vanilla JS without increasing risk of client-side XSS?
The world of business-to-business enterprise software has always required a high level of custom per-client markup associated with branding and customization. In a SPA that generally means injecting markup in script.
Some posts tout frameworks like…
cage rattler
- 113
- 5
1
vote
1 answer
CSRF tokens in Single Page Applications (JavaScript/Angular)
I have an AngularJS SPA served by Apache on a cheap web host.
All communication to the backend is via Ajax REST calls to an expensive cloud server running Tomcat.
How can the REST calls be protected from CSRF given that the frontend and backend are…
marting
- 11
- 3
0
votes
2 answers
E-Commerce website with REST backend : do I have to secure Backend URLs accessed by Front end public pages?
I have an e-commerce website with a REST backend and a Single page JS as front end.
I intend to secure my REST backend with OAuth2.
I don't want to oblige the user to authenticate when he first comes on the website, because as a e-commerce website,…
rico
- 361
- 3
- 8
0
votes
0 answers
Refresh token rotation or Authorization Code Flow with PKCE
In a new project, we try to clarify how authorization should look like. I've been reading up on this for days, but it's not really clear to me which solution would be the right one to use. Some solutions are not recommended anymore, some solutions…
Vmxes
- 101