.NET Rocks! Backend for Frontend Security Framework with Erwin van der Valk
May 15, 2025
Join Erwin van der Valk, Principal Engineer at Duende Software and expert in web security, as he unravels the complexities of securing browser-based frontends using ASP.NET Core backends. He highlights the Backend for Frontend (BFF) pattern, addressing challenges with diverse clients and OAuth 2.0. The discussion dives into user role management, centralized authorization, and critical web application security strategies. Erwin emphasizes the importance of access token management and advanced authorization tactics to protect modern applications from vulnerabilities.
AI Snips
Chapters
Books
Transcript
Episode notes
Don't Store Access Tokens In The Browser
- Browser-based SPAs increase attack surface because all code runs in one sandbox and can execute injected scripts.
- Avoid placing access tokens in the browser to reduce risk of persistent impersonation if an attack succeeds.
Image Src Can Carry Script And Cause XSS
- Erwin discovered image src values can contain script and cause XSS when inserted unsafely into the DOM.
- He found React didn't handle that particular case, highlighting surprising real-world pitfalls.
Perform Authentication On The Server
- Authenticate on the server using a confidential client and place an HTTP-only cookie for the browser to use.
- Configure cookie flags (HttpOnly, SameSite, _Host-) to protect tokens from JavaScript and reduce risk.
