Modern Techniques for Securing SPAs
On the surface, Single Page Applications (SPAs) seem simple, using modern development stacks that streamline Web UI development and deliver rich user experiences. On the outside, SPAs typically need to interact with microservices. Since JWTs have become the dominant way for APIs to protect data, this requires the SPA to send an access token.
The SPA must then be secured, to authenticate the end-user and obtain an access token with which to call APIs. However, in the light of various threats, such as Cross-Site Scripting (XSS), SPA security becomes a more serious challenge.
The browser is a hostile place to execute code. Therefore, since SPAs are browser-based, developers must carefully design how the SPA should persist tokens. If they are not handled securely, you could end up with costly data breaches. Strengthening browser security can be complicated and lead to other issues, such as bad user experience, decreased productivity, deployment problems, and code complexity.
To help you successfully overcome this challenge, Curity has assembled a new whitepaper dedicated to the security of single page applications. In it, we explore various web architectures, explain potential threats, and discuss in greater detail a standards-based solution called The Token Handler Pattern.
You can read the whitepaper here.