Security
Medium
Asked how I approach secure storage handling (localStorage / sessionStorage)
3 min
Category
XSS, CSRF, CSP, cookies, auth flows, OWASP for frontend.
13 questions
Asked how I approach secure storage handling (localStorage / sessionStorage)
Build a Security awareness (XSS, safe rendering)
CSRF = attacker tricks the user's browser into sending an authenticated request to your site. Defense: SameSite cookies (Lax/Strict), a CSRF token verified server-side for state-changing requests, and `Origin`/`Referer` checks. Token refresh: short-lived access token (~15min) + long-lived refresh token (HttpOnly cookie, rotated on each use, server-side revocable). On 401, hit /refresh, get a new access token, retry the request — with a mutex so concurrent requests don't trigger multiple refreshes.
How do you call and handle responses from AI APIs like OpenAI, Hugging Face, or Google Cloud AI
How do you handle privacy and security for AI-powered data
How do you handle rate-limiting or large payloads when consuming AI services
Frontend RBAC is UX, not security. Hide unauthorized UI but treat the server as the only authority. Encode permissions as capabilities (`can('edit:post', resource)`), not raw role names, so policies can evolve.
How do you secure your application from attacks
Session cookie: random opaque ID, server holds the truth, revoke instantly by deleting the session. JWT: signed token carries claims, stateless — server doesn't need to look anything up. Sessions win for typical web apps (revocation, security, simplicity). JWTs win for microservice-to-microservice auth and short-lived access tokens paired with refresh tokens. Storing JWTs in localStorage is the most common XSS footgun.
React's `{value}` auto-escapes — that's your default. The XSS surface in React is `dangerouslySetInnerHTML`, attacker-controlled URLs in `href`/`src`, `eval`/`new Function`/`setTimeout(string)`, and direct DOM manipulation via refs. Sanitize HTML with DOMPurify, validate URL schemes, ban `eval`-family, and add a strict Content-Security-Policy as a defense-in-depth.
What breaks if the merchant's CSP restricts inline scripts or frame-src
HttpOnly cookies aren't readable by JS — XSS can't exfiltrate the token. Combine with Secure, SameSite, and a CSRF strategy.
Write a function that safely serializes user input before it touches the DOM, probing XSS awareness in payment forms.