Tag
spa-security
Safeguard articles tagged "spa-security" — guides, analysis, and best practices for software supply chain and application security.
3 articles
Application Security
Where should your SPA store auth tokens?
OWASP has warned against localStorage tokens for years, yet it remains the default in countless SPA tutorials — one XSS bug is all it takes to exfiltrate every session.
Jul 10, 20266 min read
Application Security
A methodology for testing SPAs for client-side vulnerabilities
DOM XSS, token storage, and API exposure don't show up in a server-side scan — here's a repeatable methodology for testing React, Vue, and Angular apps.
Jul 9, 20266 min read
Security Guides
Single-Page Application Security: Tokens, XSS, and the Public Bundle
In an SPA, one XSS is game over and your entire bundle is public. Here's how token storage, CSP, OAuth PKCE, and CORS decide whether your SPA holds.
Jul 7, 20265 min read