13 Security Tips for Front-End Apps

Lock your app down and make it less susceptible to bad actors

Photo by Philipp Katzenberger on Unsplash

Whether you’re a React.js, Angular, Vue.js, or simply a front-end developer, your code can be an inviting door for hackers.

As a front-end developer, we’re mostly concern about performance, SEO, and UI/UX — security is often overlooked.

You might be surprised to know how big frameworks let you open yourself up to cross-site scripting (XSS) attacks. There are risky operations names like dangerouslySetInnerHTML in React or the bypassSecurityTrust APIs in Angular.

We should keep in mind that the front end now shares equal responsibilities as the back end or DevOps in terms of security. There are thousands of malicious attacks that can happen from a front end.

Let’s understand the most common — these will cover a great portion of these types of attacks.

Photo by vipul uthaiah on Unsplash

1. Unrestricted File Upload

This is an attack in which malicious files are uploaded to the server and then executed, to attack the system. The attack may include: an overloaded file system or database, complete system takeover, client-side attacks, forwarding attacks to back-end systems, or simple defacement.

2. Clickjacking

This is is an attack where the user is trick to click on a webpage or an element that does not belong to the site. This attack may cause users to unwittingly provide credentials or sensitive information, download malware, visit malicious web pages, purchase products online, or transfer money.

3. XSS Attack

This is an attack in which malicious scripts are injected in the form of a browser-side script into the webpage. Flaws on the websites allow these attacks to succeed and become widespread.

4. SQL injection

This is an attack in which malicious code in SQL statements are injected to destroy your database via input fields.

5. Denial-of-service attack (DoS attack)

This is an attack in which the server or its resources are made unavailable to the intended user by bombarding your server with traffic.

6. Man in the middle attack or session hijacking

This is an attack in which communications between client and server are intercepted to steal passwords, account numbers, or any personal details.