Protecting your company’s web applications from cybercriminals requires a proactive strategy. These risks affect apps ranging from simple SPAs to more complex web solutions. Applications using libraries, third-party services, or NPM packages only add to the difficulty of maintaining a strong cybersecurity footprint. Preventing various cyber attacks in this environment becomes paramount!
Adopting the backend for frontend (BFF) pattern provides an effective solution for software engineers. In this scenario, access tokens are stored on the web server, using an encrypted cookie for session management. This approach prevents attackers from using JavaScript or other means to steal tokens within the browser to access an app’s APIs. With a BFF approach, you can rest easy by deploying more secure web applications.
Let’s examine some of the most critical reasons for adopting BFF as part of your web app architecture. Duende’s best-of-breed Backend for Frontend security framework implements the IETF’s best current practices into a straightforward SDK for .NET developers. It’s the perfect solution to use in tandem with our IdentityServer OpenID and OAuth 2.0 framework.
1. Eliminating Access Token Theft
Access tokens residing in the web browser are attractive targets for cybercriminals. Their theft allows these malicious actors to effectively take over a user’s session. Additionally, extracting the authentication token provides the unethical hacker the means to access the application. As a result, this cyber attack vector must be prevented at all costs.
Thankfully, web application designs leveraging the BFF pattern effectively eliminate access token theft. With Duende’s BFF approach, all access tokens are managed at the server level. The browser only stores an encrypted cookie, ensuring the user in question is actually logged-in. This pattern greatly increases the security of browser-based applications.
Keeping the lifecycle of an access token as short as possible remains critical. Managing them on the server simply offers a more effective cybersecurity option for your team. Explore the Duende BFF product page for additional insights on how it protects your web applications.
2. Preventing Cross-Site Scripting (XSS) Attacks
Protecting against XSS attacks on the modern web remains a complex proposition. This is especially the case for companies with web-based applications using a variety of third-party libraries and frameworks. Additionally, those external packages have their own dependencies which must be considered. It’s a scenario where relying on a frontend-only cybersecurity approach becomes insufficient.
While some options exist for mitigating the risks of XSS on the browser, sophisticated hackers can bypass some of them, especially input validation. However, having OAuth logic residing in the browser no longer offers sufficient protection. The BFF pattern ultimately provides a deeper level of security. Eliminating the use of tokens within the browser simply makes life difficult for unethical hackers.
Leveraging a signed and encrypted cookie as the only session management component offers a more secure approach. Any tokens are managed at the server on a platform with stronger protection from XSS and similar attacks. Keeping these high-value access tokens out of the browser prevents them from being hacked with JavaScript.
3. Reduce the Risks of Cross-Site Request Forgery (CSRF)
We already mentioned how large web applications using a host of third-party libraries and packages pose significant cybersecurity risks. Browsers automatically transfer authenticated cookies to external sites for cross-origin requests, but they sometimes leak data to external sites if misconfigured. In this scenario, the risks of cross-site request forgery (CSRF) attacks greatly increase. Software architects also need to consider a similar risk: Cross-origin resource sharing (CORS).
Adopting a BFF architectural approach effectively reduces the risks from this type of cyber attack. In this situation, a custom header is typically passed along with these requests. The server then manages calls to any external APIs through a proxy. Internal APIs are accessed directly, with all authenticated calls managed by the BFF framework.
The Duende BFF framework includes CSRF protection as one of its core functionalities. It especially makes sense for companies with complex apps using multiple third-party resources. Of course, single-page applications also benefit from this state-of-the-art cybersecurity framework.
4. Flexible Scoping of Access Tokens
An especially useful feature of the Duende BFF solution is its ability to scope access tokens between the user and client. This capability makes it easier to access remote APIs that require a token. You gain the flexibility to accept tokens from a user, a client app, or both, as necessary.
Our framework includes a RequireAccessToken method to support this feature. Pass it a TokenType parameter to set the relevant setting for your scenario. The three options are as follows:
- User: Requires a valid user access token to be sent to the API. This token gets generated when the user first logs in, and is automatically refreshed if necessary.
- Client: This option requires a client token associated with a client application and not a specific user. These tokens are obtained using the client credentials flow.
- UserOrClient: Either a valid user or client is required, and is forwarded to the remote API as needed.
5. Combining Local and Remote APIs using the Same Endpoint
Another critical benefit of the Duende BFF framework involves combining local and remote APIs through the same endpoint. In this scenario, access to that remote API is proxied in the BFF layer. It authenticates the frontend request with the validation cookie, gets the access token, and forwards it onto the remote API.
This feature provides developers with the flexibility to seamlessly access both local and remote APIs from the same backend. In addition to working with a simple HTTP forwarder, the Duende BFF also supports using Microsoft’s YARP reverse proxy. This approach lets you leverage the additional features of YARP in tandem with our state-of-the-art security and identity functionality.
Duende’s State of the Art Backend for Frontend Security Framework
If you want to explore using the BFF pattern for your web applications, consider the Duende Backend for Frontend framework. Our solution supports popular modern development solutions, like Angular, React, Vue, and even Blazor WASM applications. It keeps those insecure tokens out of the browser, effortlessly managing them on the server.
Also, expect seamless integration with our OpenID/OAuth 2.0 framework for ASP.NET Core, IdentityServer. Connect with our team to discuss how our solutions improve the security of your company’s web applications.