A small guide to authentication and security for SPA

stereobooster - Oct 25 '18 - - Dev Community

This is by no means is an exhaustive guide, just for you get started.

Setup: let's assume we want to build new SPA deployed to m.example.com, also we have an old application, for example, Ruby on Rails, deployed to www.example.com. The new application will be a static website, e.g. we will only have assets (JS, HTML, CSS, images) deployed there (it could be an application with backend and SSR, but let's omit this for simplicity). Also, we will have api.example.com as API endpoint for our SPA application.

Shared sessions

We want to share sessions across new and old applications. To do this we need to use cookies at the root domain - HTTP headers for cookies can look like this:

set-cookie: SID=...; Domain=.example.com

Pay attention to the dot at the beginning of the domain. This way browser will send cookies to all of our subdomains e.g. m.example.com, www.example.com, api.example.com. Once the user authenticates in one of our services their will be authenticated everywhere.

Security for cookies

All of those considerations are for api.example.com and www.example.com.

HttpOnly

HttpOnly directive disallows access to cookies for JavaScript to prevent hijacking of the session through XSS.

set-cookie: SID=...; HttpOnly

Secure

Secure directive instructs the browser to send cookies only through HTTPSto prevent hijacking of the session through man in the middle attack. (Attack still possible if the attacker will be able to fake certificate)

set-cookie: SID=...;  Secure

SameSite

SameSite directive prevents CSRF attacks. I choose to use a more relaxed version of this directive (Lax) it should be enough in most cases (read about instruction and see yourself if it is enough for you or not).

set-cookie: SID=...; SameSite=Lax

Security for assets

All of those HTTP headers are for m.example.com and www.example.com.

Strict-Transport-Security 

Strict-Transport-Security: max-age=86400

X-Content-Type-Options 

X-Content-Type-Options: nosniff

X-Frame-Options 

X-Frame-Options: DENY

X-XSS-Protection 

X-XSS-Protection: 1; mode=block

Content-Security-Policy

I don't use Content-Security-Policy in this post, but I strongly recommend you to use it. (Maybe I will write a separate post about it)

Security for API

CORS

Use CORS. Specify what methods are allowed, and for how long to cache preflight request

access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE
access-control-max-age: 86400

Specify from which domain is allowed to access API

access-control-allow-origin: https://m.example.com

Specify allow-credentials otherwise, cookies won't work. Take into account that you can't use the star (*) with credentials directive.

access-control-allow-credentials: true

JSON API

For all requests, except maybe endpoints accessible without authentication, require Content-Type, this will trigger a check of CORS (via preflight request):

Content-Type: application/json; charset=utf-8

JS client

Now we have all the basics, it's time to actually make a call from our frontend to API. Let's use fetch API for this.

Anonymous requests

For endpoints which allow access from anonymous users use "plain" fetch. Don't use Content-Type, otherwise, it will become slower without any benefit for the user.

fetch(url)

Authenticated requests

For other requests use credentials: "include" to enable cookies (this is the default option in the latest Fetch specification, but not all browsers implemented it). Use headers: { "Content-Type": "application/json; charset=utf-8"} to trigger CORS check and actually pass check of the backend (which we "implemented" earlier).

For GET requests:

fetch(url, {
  credentials: "include",
  headers: { "Content-Type": "application/json; charset=utf-8"}
})

For POST requests:

fetch(url, {
  credentials: "include",
  headers: { "Content-Type": "application/json; charset=utf-8"},
  method: "POST",
  body: JSON.stringify(params)
})

Photo by Tianshu Liu on Unsplash

Image
Entendendo o PROCV: Como Utilizá-lo em Suas Análises de Dados
Image
Internal Developer Portals: Autonomy, Governance and the Golden Path

sre, idp, platformengineering, developers
Image
Stwórz swoją Oazę Spokoju: Inspiracje na Meble do Sypialni
Image
The Time Has Come To Expand Your Asbestos Cancer Claim Options
Image
10 Apps To Help Manage Your Causes Of Mesothelioma Other Than Asbestos
Image
Mai Huong Pham Thi
Image
SAT classes
Image
Will Drip Coffee Brewer Be The Next Supreme Ruler Of The World?
Image
10 Steps To Begin The Business Of Your Dream Coffee Filter Maker Business
Image
Understanding and Using Window Functions in SQL

sql, windowfunction, database, beginners
Image
12 Facts About Repair Bifold Door Bottom Pivot To Make You Look Smart Around The Cooler Water Cooler
Image
Researchers Uncover Python Package Targeting Crypto Wallets with Malicious Code
Image
Mengetahui Sumber Pendapatan Situs Taruhan Judi
Image
🚀 How I Built "News Pulse" with CopilotKit 🚀
Image
15 Up-And-Coming Accident Lawyer Jacksonville Bloggers You Need To Keep An Eye On
Image
A Provocative Rant About Wheelchair Self Propelled
Image
How To Choose The Right Self Propelled Wheelchair With Suspension Online
Image
You Are Responsible For The Asbestos Exposure Compensation Budget? 12 Top Ways To Spend Your Money
Image
Teknik Pilih Bandar Judi Online Berdasar pada Bonus
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Terabox Video Player