Travis Spencer is founder of Curity, LLC, an identity and access management and API access security company.

Single-page applications (SPAs) have recently emerged as one of the most notable trends in web development. SPAs dynamically update content in the user’s browser instead of loading entire website pages from a server. This offers several advantages compared to traditional websites. SPAs provide fast user experiences that deliver information quickly and don’t require the user to navigate through multiple page links.

In addition to better user experiences, SPAs offer benefits for developers. SPAs don’t need as much server space as websites and can be built and launched rapidly with tools like Angular and React. Plus, SPAs enable organizations to combine backend development and frontend development or keep them separate. As a result, SPAs can be built and managed by teams to optimize specialized IT and user experience expertise and improve operations efficiency.

The Trouble With SPAs

SPAs offer strong advantages, but their positive aspects are offset by one significant challenge: SPAs are difficult to secure.

With SPAs, authentication processes must run in the user’s browser. They require access tokens to call APIs for identity verification, and in many cases, these APIs are external third-party data sources or microservices that may not have encryption or other adequate security measures. Plus, storing security tokens in the browser during the user’s session leaves code and data vulnerable to malicious attacks.

This SPA security shortfall is frequently exploited by hackers in multiple ways; however, a few threats stand out as the most commonly occurring cyberattacks that SPA developers must be prepared to defend against.

Cross-Site Scripting Or Session Hijacking Attacks

Cross-site scripting (XSS) attacks, a form of session hijacking, are the most prolific type of threat against websites and applications. In an XSS attack, the hacker is able to inject and run their own code in the SPA to steal access tokens and infiltrate an organization’s data stores. XSS threats are particularly dangerous because attackers can perform the same actions as the user for as long as the session is valid or the SPA is open.

Cross-Site Request Forgery Or Session Riding Attacks

While XSS attacks involve the malicious actor gaining access to an application and performing actions remotely, cross-site request forgery (CSRF) attacks occur when the user is tricked into performing an action through their own browser.

CSRF attacks often involve fake SPAs that dupe the user into an action like changing their account email address or filling in a form. These actions are then exploited by the attacker who visits the real SPA and uses the stolen credentials to gain access to the targeted organization’s data and systems.

Sending Data Out Of The Browser

If the attacker manages to acquire tokens or data by performing an XSS attack on an API, there is a risk that this information could be sent to a remote host controlled by the attacker for further processing, storage or abuse. Another negative aspect of this threat is that data exfiltration is not always immediately detected, or sometimes missed altogether.

Best Practices For SPA Security

Some recommendations for securing SPAs are aligned with widely accepted security policies that are probably already part of your web development, identity and access management and data storage practices. These include using HTTPS, setting proper security response headers and establishing least privilege access policies.

Adequately securing SPAs must go beyond these general web security and data access management practices, however. It requires a specific focus on API access control, particularly access tokens, to address SPAs' most significant vulnerability—browser-based user authentication. The following practice recommendations help mitigate the risk of token exfiltration attacks like XSS:

• Limiting Access Token Session Scope: User sessions should only allow API calls to endpoints that are available to the user interface. This helps limit the actions available to an attacker should they gain access.

• Using Short-Lived Access Tokens: Keep access token life spans between five and 15 minutes. This reduces the impact of a stolen access token because attackers have less time to access and exfiltrate data.

• Using Handle Access Tokens: Use access tokens that hide valuable information like personally identifiable information (PII). Handle or opaque token formats require introspection to get full token details, making it more difficult for attackers to access sensitive data.

• Using The Token Handler Pattern: Leverage the token handler security methods that minimize the data stored and processed in the browser. Unlike traditional SPA authentication, which processes tokens in the browser where they can be exposed to attacks, the token handler pattern uses a backend for frontend (BFF) authentication strategy that adds a lightweight token processing layer outside of the browser.

This pattern uses secure cookies instead of access tokens in the browser. The cookies are converted to tokens on the backend by an OAuth proxy with an API gateway.

How Innovative API Access Control Paves The Way For Secure SPAs

As consumers increasingly expect anytime, anywhere brand engagement and access to information, SPAs offer a compelling way to deliver these experiences. However, the security concerns associated with SPAs can be an obstacle for the cybersecurity and development teams tasked with deploying them.

Fortunately, SPA security is becoming a larger part of conversations about cybersecurity and application development, and practitioners are sharing more best practice recommendations. Designing SPAs that include strong security measures enables organizations to confidently use SPAs in their digital service delivery strategies and leverage the competitive edge SPAs can provide.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?