Question: Securing Single-page-application from CSRF and XSS using CSP + localStorage


Securing Single-page-application from CSRF and XSS using CSP + localStorage

Answers 0
Added at 2016-12-29 22:12

I have a single page application, having sensitive content, and needs to be secured. This question is specific with securing against XSS and CSRF attacks.

Explanation: It has been suggested many places, for example here to use cookies on top of localStorage while storing the auth-token. A very nice explanation is also provided in answer of another question here.

Based on these answers, for secured contents, it is suggested to use cookies with ‘httpOnly’ and ‘secure’ options to avoid XSS; and implement CSRF protection by ourselves (something like anti-forgery-token in (Note that I am not on Asp .net, but at java stack).

Thought these blog and conversation are somewhat old, and with time, the scenario has changed somewhat. Now with Contents-Security-Policy header [CSP] with strict policy, risk of XSS attack can be minimized significantly. Also CSP is largely supported in modern-age browsers. Considering XSS security with CSP, now I feel, it is good option to use localStorage instead of cookies to avoid CSRF.

Question: Do you think of any disadvantage/security loophole for using "LocalStorage + CSP (no manual implementation)"


Cookies [httpOnly and secure] + “Manual” implementation of CSRF anti-forgery-token?


In addition to CSP response header, you can consider that X-XSS-Protection header is still supported as per suggestion over here.

You can consider the site is HTTPS, have having implementation of HSTS, HPKP security headers.

Source Show
◀ Wstecz