Securing Single-page-application from CSRF and XSS using CSP + localStorage
|Added at||2016-12-29 22:12|
I have a single page application, having sensitive content, and needs to be secured. This question is specific with securing against XSS and CSRF attacks.
Thought these blog and conversation are somewhat old, and with time, the scenario has changed somewhat. Now with Contents-Security-Policy header [CSP] with strict policy, risk of XSS attack can be minimized significantly. Also CSP is largely supported in modern-age browsers. Considering XSS security with CSP, now I feel, it is good option to use localStorage instead of cookies to avoid CSRF.
Question: Do you think of any disadvantage/security loophole for using "LocalStorage + CSP (no manual implementation)"
Cookies [httpOnly and secure] + “Manual” implementation of CSRF anti-forgery-token?
In addition to CSP response header, you can consider that X-XSS-Protection header is still supported as per suggestion over here.
You can consider the site is HTTPS, have having implementation of HSTS, HPKP security headers.