Skip to content

XS ◾ public/uploads/rules/browser security-patterns/rule (PR from TinaCMS) #11610

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tina-cloud-app wants to merge 1 commit into
base: main
Choose a base branch
from
Open

XS ◾ public/uploads/rules/browser security-patterns/rule (PR from TinaCMS) #11610

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions public/uploads/rules/browser-security-patterns/rule.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ Let’s take a light-hearted but practical tour of how browser security has evol

<endIntro />

## 1. Cookie-Based Authentication (Traditional Web Apps)
## 1. Cookie-Based Authentication

The oldest and most battle-tested approach. Server-rendered apps relied heavily on cookies for session management, long before OAuth and SPAs came along. While simple and effective, cookies had to evolve with new browser features to keep up with modern threats.

Expand Down Expand Up @@ -69,7 +69,7 @@ The oldest and most battle-tested approach. Server-rendered apps relied heavily
figure=""
/>

## 2. OAuth 2.0 Implicit Flow (SPAs v1)
## 2. OAuth 2.0 Implicit Flow

As SPAs emerged, developers needed a way to authenticate without a backend. The Implicit Flow was introduced to give client-side apps direct access to tokens - a clever hack for its time, but one that opened the door to serious security issues.

Expand All @@ -96,7 +96,7 @@ As SPAs emerged, developers needed a way to authenticate without a backend. The
* Historically used for early Angular/React apps with no backend.
* Rarely recommended today.

## 3. OAuth 2.0 Authorization Code Flow with PKCE (SPAs v2)
## 3. OAuth 2.0 Authorization Code Flow with PKCE

To fix the flaws of the Implicit Flow, PKCE (Prook Key for Code Exchange) came into play. This was a big leap forward for SPAs, giving them a safer way to obtain tokens directly. But while more secure, it still left the browser holding sensitive tokens.

Expand Down Expand Up @@ -148,9 +148,9 @@ When applications grew into ecosystems of microservices, authentication had to s
* Enterprises with multiple frontends + microservices.
* Teams already using API gateways (Kong, Apigee, AWS API Gateway).

## 5. Backend-for-Frontend (BFF)
## 5. Backend-for-Frontend

The modern favorite. BFFs combine the simplicity of cookies with the security of OAuth. By keeping tokens server-side and giving the browser only safe cookies, BFFs drastically reduce the attack surface for SPAs.
The modern favorite. Backend-For-Frontend (BFF) combine the simplicity of cookies with the security of OAuth. By keeping tokens server-side and giving the browser only safe cookies, BFFs drastically reduce the attack surface for SPAs.

📅 **Era:** Modern standard (\~2020+).

Expand Down
Loading