With the web constantly evolving, Single Page Applications have become a prevalent style of applications used on the frontend. It is explained by higher demands on user experience and infrastructure management, which SPAs are great at. However, handling the security of such apps can be challenging.
SPA Security Problem
In a traditional approach, a user’s access to a web application was controlled using a cookie-based session. In this setup, the frontend client uses cookies to authorize a user during calls to the backend.
Since SPAs has no dedicated backend at all, the user session cannot be kept in a cookie. Instead, access tokens are used to enable the SPA to call APIs on behalf of the authenticated user.
The shift from handling authorization with cookies to access tokens has some severe security implications, including the vulnerability to XSS attacks or access by malicious codes.
Solution
Currently, SPAs have no universal means of keeping access and refresh tokens secure from malicious code. The only way is to keep the tokens away from the browser which can be achieved by adding a backend component to handle tokens and issue secure cookies to the frontend — often referred to as a Backend for Frontend (BFF) approach.
The advanced of the common BFF design pattern is the Token Handler approach. In this extended form, the SPA’s OpenID Connect security is implemented in an API driven manner:
Using this approach, all communication from the SPA to the Authorization Server will now go through the token handler, and tokens will not reach the SPA at all. The token handler now issues session cookies to the SPA. Even though we’re dealing with a SPA, the security level is on par with a website with a backend.
Want to learn more about the Token Handler?
Here are some resources to help you:
- Article The Token Handler Pattern for Single Page Applications
- Curity blog post Token Handler: The Single Page Application’s New BFF
- Token Handler End-to-End Tutorial
- Code example SPAs using the Token Handler Pattern
- Join us at this webinar on November 9 to learn more about the Token Handler design pattern, how it can help with securing your single page applications and how to implement it: Hardening Single Page Application Security webinar
