single-page-app – Page 6 – WindowsTechs.com

CSRF protection and Single Page Apps on hosted on S3 (with no backend.)

Posted on August 27, 2018 by zeros-and-ones

I have a webapp written in js that runs on AWS S3. There is no way to initialize a secure CSRF token on page load since there is no backend server. The token has to be retrieved via an AJAX call to my API server on a differen… Continue reading CSRF protection and Single Page Apps on hosted on S3 (with no backend.)→

XSS prevention in single page web applications

Posted on June 10, 2018 by iam batman

One of my colleagues suggested the following methods to secure against XSS attacks in my angular5 application:

Enable X-XSS-Protection header
Enable X-frame-options header
Adding proper content security policy to prevent in… Continue reading XSS prevention in single page web applications→

Non-standard OIDC flow: How safe is this?

Posted on April 27, 2018 by Björn Vildljung

I have been made aware of an application, at a client, that claims to use OIDC to authenticate users. This is however done via a non-standard flow that I find hard to assess from a security standpoint.

It starts with a frontend SPA initia… Continue reading Non-standard OIDC flow: How safe is this?→

Implicit flow login from SPA

Posted on April 4, 2018 by ChrisFletcher

Looking at the implicit flow to login with https://github.com/IdentityModel/oidc-client-js and https://github.com/IdentityServer/IdentityServer4.Samples/tree/release/Quickstarts/7_JavaScriptClient . The process begins with fo… Continue reading Implicit flow login from SPA→

Protecting frontend code for SPA + Restful API with OIDC

Posted on March 5, 2018 by hhp

I’ve got an Angular 1 SPA with a Restful API that I’d like to restrict access to. As I understand, typically the OIDC Implicit flow is designed just for this. However, I consider the frontend SPA code sensitive as well and wo… Continue reading Protecting frontend code for SPA + Restful API with OIDC→

In an OAuth2-secured API, counter-measures against insecure token storage in third party client-side apps

Posted on October 18, 2017 by bsapaka

Context:

I own one or more public API’s protected by token-based security
I own an OAuth2 server to issue API access tokens via implicit grant to third party single-page apps

Problem:

What steps can I take to help ensu… Continue reading In an OAuth2-secured API, counter-measures against insecure token storage in third party client-side apps→

Evaluating spam score for a single page application

Posted on June 8, 2017 by Gary Olsson

I am developing a single page application with a behaviour similar to google Maps and I want to avoid spam as much as possible.
Users can register on my website to get access to an API KEY. Then, on their website, they can im… Continue reading Evaluating spam score for a single page application→

Is a SPA vulnerable to the BREACH https security exploit?

Posted on January 3, 2017 by jbandi

I have a Single Page Application (SPA) that consists of static resources (HTML, JS, CSS, images fonts …) that are served from an Apache web server and several API endpoints (serving JSON from a JBoss Backend, proxied throug… Continue reading Is a SPA vulnerable to the BREACH https security exploit?→

Is a SPA vulnerable to the BREACH https security exploit?

Posted on January 3, 2017 by jbandi

Encrypting the API response in a single page app

Posted on September 6, 2016 by geoboy

I am building a single-page(React-Redux on FE, Rails-API BE) application which makes a bunch of REST API calls to get certain information for logged-in users. Some subset of that information (categorization database) is more confidential t… Continue reading Encrypting the API response in a single page app→