Secure Coding Practices for Frontend Engineers

-

Modern frontend engineers build applications that are richer and more complex than ever. With React, TypeScript, and Node.js powering SPAs and APIs, the frontend is an active part of the security perimeter. This article maps practical secure coding practices for frontend engineers to the OWASP Top 10 (2021), giving you a clear checklist for building safer apps.

1 — Broken Access Control

Why it matters: Relying only on client-side UI restrictions is insufficient — attackers may call backend endpoints directly.

Practices: Enforce access control server-side in Node.js, use frontend route guards for UX only, and avoid shipping privileged data in the bundle.

// React route guard (UX only — backend must enforce)
<Route path="/admin" element={user?.role === 'admin' ? <AdminPanel /> : <Navigate to="/403" />} />

2 — Cryptographic Failures

Why it matters: Mishandled tokens and secrets lead to data exposure.

Practices: Use HTTPS & HSTS, store session tokens in HttpOnly Secure cookies, and never hardcode secrets in frontend code.

// Good: expose only public keys to frontend
const STRIPE_PUBLIC_KEY = import.meta.env.VITE_STRIPE_PUBLIC_KEY;

3 — Injection

Why it matters: XSS and other injection flaws let attackers run arbitrary code in a user's browser.

Practices: Sanitize untrusted HTML (DOMPurify), validate inputs both client & server (TypeScript + Zod), and avoid inserting raw HTML.

import DOMPurify from 'dompurify';
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(html) }} />

4 — Insecure Design

Why it matters: Security needs to be part of the architecture, not an afterthought.

Practices: Threat model your application flows, apply least privilege, and design robust session & logout behavior.

5 — Security Misconfiguration

Why it matters: Misconfigured headers, CORS, or debug settings open easy attack surfaces.

Practices: Use Helmet for headers, configure a strict CSP, avoid wildcard CORS, and remove debug instrumentation in production.

import helmet from 'helmet';
app.use(helmet());

6 — Vulnerable and Outdated Components

Why it matters: A vulnerable npm dependency can compromise your whole app.

Practices: Run npm audit, use Dependabot/Renovate, prefer maintained libraries and pin versions with lockfiles.

7 — Identification & Authentication Failures

Why it matters: Weak session management and exposed tokens enable account takeover.

Practices: Use secure cookies, handle token expiry gracefully, never leak tokens in logs or URLs, and implement refresh & revocation.

8 — Software & Data Integrity Failures

Why it matters: Supply chain attacks and tampered assets break trust in your frontend.

Practices: Use Subresource Integrity (SRI) for third-party scripts, prefer trusted CDNs or self-host, and harden CI/CD pipelines.

<script src="https://cdn.example.com/lib.js"
  integrity="sha384-abc123..."
  crossorigin="anonymous"></script>

9 — Security Logging & Monitoring Failures

Why it matters: Lack of monitoring means incidents go undetected.

Practices: Use frontend error monitoring (Sentry), log critical auth events server-side, avoid logging secrets, and configure alerts for suspicious activity.

10 — Server-Side Request Forgery (SSRF)

Why it matters: While SSRF is mainly a backend concern, the frontend can accidentally expose dangerous capabilities (e.g., letting users supply URLs to backend proxies).

Practices: Never let the frontend send arbitrary internal URLs to the backend — use server-side allowlists and validate inputs.

Quick Checklist

☑️ Sanitize all untrusted HTML
☑️ Use HTTPS + security headers
☑️ Validate input on client & server
☑️ Keep dependencies updated
☑️ Store tokens securely (HttpOnly cookies)
☑️ Apply least privilege in UI and APIs
☑️ Monitor and log suspicious behavior
☑️ Use CSP and SRI for runtime protection

Security is a habit — embed these practices into your day-to-day workflow and your applications will be safer by design. For further reading, visit the OWASP Top 10 and the React security guide.

Comments

Post a Comment

Popular posts from this blog

Building a Scalable Test Automation Framework for Large Applications: TypeScript, Playwright, Screenplay & Serenity BDD

-
Testing large, complex web applications is a monumental challenge. As applications grow, so does the test suite. Traditional test automation frameworks, often built on the Page Object Model (POM), can become brittle, hard to maintain, and difficult for non-technical stakeholders to understand. What if we could build a framework that was not only robust and scalable but also produced living documentation that the entire team—from developers to business analysts—could use? In this post, we'll build a production-grade test automation framework from the ground up. We'll combine the power of modern tools and patterns to create a solution that is maintainable, readable, and ready for the demands of large-scale applications. Table of Contents The Dream Team: Our Technology Stack Why This Stack? The Core Concepts Setting Up the Project: The Bluepri...
Read more

Setting up a global .gitignore on a Mac

-
I work with multiple OSes, programming languages and frameworks so here is a tip on keeping your git repos clean. I create a global .gitignore file to exclude platform related files (OS and IDE) and then when I create a new project I create a project specific .gitignore for the project related files which is specific to the languages and frameworks I am using in the project. Creating a global gitignore on a Mac You may name the file and place it where you want. I typically just name it .gitignore and store at '~/.gitignore'. Set it by running the following in a terminal: git config --global core.excludesfile '~/.gitignore' Example global gitignore Here is my global which I place at '~/.gitignore' Project specific gitignore GitHub have created a repo as a guide for what to include in your .gitignore for specific languages and frameworks: https://github.com/github/gitignore .
Read more

The Modern Engineer's Playbook for Continuous Growth

-
In the world of software engineering, the ground is constantly shifting beneath our feet. New frameworks emerge, languages evolve, and best practices are redefined. The pressure to "keep up" can feel overwhelming. But what if we stopped seeing learning as a frantic race and started treating it as a core, sustainable part of our craft? True, lasting growth isn’t about cramming for the next tech trend. It's about building a robust, personal system for learning that integrates seamlessly into your work. It's about evolving from a specialist or a generalist into something far more powerful. Let's break down the playbook for building this sustainable learning habit. The Goal: The "T-Shaped" Individual Before we talk about how to learn, let's define the why . The ultimate goal for a modern engineer isn't just to be a deep expert in one thing (an "I-shaped" individual) or a shallow generalist ...
Read more