A small guide to authentication and security for SPA

stereobooster - Oct 25 '18 - - Dev Community

This is by no means is an exhaustive guide, just for you get started.

Setup: let's assume we want to build new SPA deployed to m.example.com, also we have an old application, for example, Ruby on Rails, deployed to www.example.com. The new application will be a static website, e.g. we will only have assets (JS, HTML, CSS, images) deployed there (it could be an application with backend and SSR, but let's omit this for simplicity). Also, we will have api.example.com as API endpoint for our SPA application.

Shared sessions

We want to share sessions across new and old applications. To do this we need to use cookies at the root domain - HTTP headers for cookies can look like this:

set-cookie: SID=...; Domain=.example.com

Pay attention to the dot at the beginning of the domain. This way browser will send cookies to all of our subdomains e.g. m.example.com, www.example.com, api.example.com. Once the user authenticates in one of our services their will be authenticated everywhere.

Security for cookies

All of those considerations are for api.example.com and www.example.com.

HttpOnly

HttpOnly directive disallows access to cookies for JavaScript to prevent hijacking of the session through XSS.

set-cookie: SID=...; HttpOnly

Secure

Secure directive instructs the browser to send cookies only through HTTPSto prevent hijacking of the session through man in the middle attack. (Attack still possible if the attacker will be able to fake certificate)

set-cookie: SID=...;  Secure

SameSite

SameSite directive prevents CSRF attacks. I choose to use a more relaxed version of this directive (Lax) it should be enough in most cases (read about instruction and see yourself if it is enough for you or not).

set-cookie: SID=...; SameSite=Lax

Security for assets

All of those HTTP headers are for m.example.com and www.example.com.

Strict-Transport-Security 

Strict-Transport-Security: max-age=86400

X-Content-Type-Options 

X-Content-Type-Options: nosniff

X-Frame-Options 

X-Frame-Options: DENY

X-XSS-Protection 

X-XSS-Protection: 1; mode=block

Content-Security-Policy

I don't use Content-Security-Policy in this post, but I strongly recommend you to use it. (Maybe I will write a separate post about it)

Security for API

CORS

Use CORS. Specify what methods are allowed, and for how long to cache preflight request

access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE
access-control-max-age: 86400

Specify from which domain is allowed to access API

access-control-allow-origin: https://m.example.com

Specify allow-credentials otherwise, cookies won't work. Take into account that you can't use the star (*) with credentials directive.

access-control-allow-credentials: true

JSON API

For all requests, except maybe endpoints accessible without authentication, require Content-Type, this will trigger a check of CORS (via preflight request):

Content-Type: application/json; charset=utf-8

JS client

Now we have all the basics, it's time to actually make a call from our frontend to API. Let's use fetch API for this.

Anonymous requests

For endpoints which allow access from anonymous users use "plain" fetch. Don't use Content-Type, otherwise, it will become slower without any benefit for the user.

fetch(url)

Authenticated requests

For other requests use credentials: "include" to enable cookies (this is the default option in the latest Fetch specification, but not all browsers implemented it). Use headers: { "Content-Type": "application/json; charset=utf-8"} to trigger CORS check and actually pass check of the backend (which we "implemented" earlier).

For GET requests:

fetch(url, {
  credentials: "include",
  headers: { "Content-Type": "application/json; charset=utf-8"}
})

For POST requests:

fetch(url, {
  credentials: "include",
  headers: { "Content-Type": "application/json; charset=utf-8"},
  method: "POST",
  body: JSON.stringify(params)
})

Photo by Tianshu Liu on Unsplash

Image
UI vs. UX: What’s the difference?

ui, ux, webdev, design
Image
⚡ MyFirstApp - React Native with Expo (P20) - Code Layout Info Orders

react, reactnative, webdev, tutorial
Image
How to Initialize a Git Repository and Create a GitHub Repository Using the GitHub CLI
Image
How to Get the Directory Where a Bash Script is Located

bash, linux, beginners, automation
Image
How to a loader with Tailwind CSS

tailwindcss, tutorial
Image
⚡ MyFirstApp - React Native with Expo (P19) - Code Layout List Orders

react, reactnative, webdev, tutorial
Image
Styling Buttons with styled-jsx in Next.js

javascript, css, nextjs, webdev
Image
Marriage Halls In Medavakkam
Image
Introduction to Lotus365

lotus365, login, register
Image
The Ultimate Redis Command Cheatsheet: A Comprehensive Guide

webdev, beginners, javascript, redis
Image
Top 5 Best Hotel Management Courses 2024

hotel, management
Image
Top 5 Best Hotel Management Courses 2024

hotel, management
Image
Backtracking, Design and Analysis of Algorithms

algorithms, coding, programming, design
Image
Buy Verified Paxful Account

webdev, javascript, beginners, programming
Image
Popular Test Automation Frameworks: How to Choose

testautomation
Image
HNG11 Task 0: Article about Frontend Technologies

webdev, react
Image
CUDA 12: Optimizing Performance for GPU Computing
Image
Guide on Outsourcing Laravel Development Services in Canada 20

laravel, development
Image
Everything You Need to Know About Medical Gel Pads
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .