Exactly what I needed for what I’ve been thinking about the last week when it comes to the rewriting of an out-of-date SPA which utilizes the Implicit Flow.
If a hacker was able to run their code in a 3rd party frontend, doesn't it mean that they can scan the DOM and extract all valuable information from there and even emulate user activity triggering clicks and form submits? if yes, then what is point in keeping access token on the backend?
Exactly what I needed for what I’ve been thinking about the last week when it comes to the rewriting of an out-of-date SPA which utilizes the Implicit Flow.
If a hacker was able to run their code in a 3rd party frontend, doesn't it mean that they can scan the DOM and extract all valuable information from there and even emulate user activity triggering clicks and form submits?
if yes, then what is point in keeping access token on the backend?
Not if they don't have a token for it.
@35:31 BFF idea!
I didn‘t get the X-CSRF header trick. What‘s the point if we have the SameSite cookie that automatically prevents CSRF attacks?
could you please share the demo code?
absolutely great, thank you
great work
Thank you
Excelent! (y)
Thank you
Thank you