Single page web applications and how to keep them secure

2021-07-02 05:00

Using what is known as a single page app framework, these apps represent the next generation of modern software design, offering a faster and cleaner user experience than traditional multi-page websites.

Each page generally interacts directly with the server and back-end databases for each individual page load. This framework now represents a legacy approach to building web applications.

In contrast, an SPA is comprised of a single page web application that frequently refreshes itself through multiple API calls.

The architecture of SPAs presents new vulnerabilities for hackers to exploit because the attack surface shifts away from the client-layers of the app to the APIs, which serve as the data transport layer that refreshes the SPA. With multi-page web apps, security teams need to secure only the individual pages of the app to protect their sensitive customer data.

Traditional web security tools such as web application firewalls cannot protect SPAs because they do not address the underlying vulnerabilities found in the embedded APIs and back-end microservices.

In the 2019 Capital One data breach, the hacker reached beyond the client layer by attacking Capital One's WAF and extracted data by exploiting underlying API-driven cloud services hosted on AWS. SPAs require a proper indexing of all their APIs, similar to how multi-page web apps require an indexing of their individual pages.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/ilqJq7_lvEA/

#WEB