.NET Rocks! Backend for Frontend Security Framework with Erwin van der Valk
May 15, 2025
Erwin van der Valk, Principal Engineer at Duende Software, dives into the complexities of securing browser-based frontends with ASP.NET Core backends. He discusses the Backend for Frontend (BFF) security framework, which streamlines API integration for diverse clients. The conversation highlights the importance of robust user authentication, handling OAuth 2.0 challenges, and managing tokens securely. Erwin also explores the nuances of Blazor rendering modes and the architectural advantages of multi-frontend support to boost development efficiency.
AI Snips
Chapters
Transcript
Episode notes
BFF Pattern Secures Authentication
- Backend for Frontend (BFF) pattern authenticates on the server and uses secure cookies for the browser frontend.
- Cookies prevent exposing access tokens to the browser, reducing attack surface and token theft risk.
Script Injection via Image URLs
- Erwin discovered image tags with URLs containing script can cause cross-site scripting.
- React does not handle script injection in image URLs, illustrating common vulnerabilities.
Separate Authentication from Authorization
- Authentication and authorization should be separated for better security management.
- Authorization often involves complex, domain-specific policies beyond identity provider roles.