Single Page Applications (SPAs) seem simple on the surface, using modern development stacks that streamline Web UI development and deliver rich user experiences. The SPA must then be secured, to authenticate the end-user and obtain an access token with which to call APIs.
SPA security becomes more complicated when you consider threats such as Cross-Site Scripting (XSS). The browser is a hostile place to execute code, so application developers must consider how the SPA should persist tokens, since if they leak you could end up with costly data breaches.Attempts to strengthen browser security can in turn lead to other problems, in areas such as user experience, developer productivity, deployment, and code complexity.
The aim of this whitepaper is to solve the SPA security problem by exploring various web architectures, explaining threats, and recommending a standards-based solution called The Token Handler Pattern.
Upon reading, you will get a stronger understanding of web security architecture design and the use of URLs and domains.
