1

I'm working on a project that involves an SPA web application built with React, connected to an API that runs Express.

I have read many articles and questions on stackoverflow. (Especially this link has a very detailed answer on it). However, there is a point that I couldn't understand. I searched the questions and couldn't find any answer that includes IP restriction on the backend API side.

I want to send JWT to authorized users that login from the SPA and store JWT in localstorage on the client side. The backend API will only be accessible from the SPA's IP address and will be closed to any other IPs. CORS will be configured to work only with the SPAs domain name as well.

So with this configuration in mind, is it still not safe to store JWTs in localstorage? As the API can only be still accessible by one IP, how can an attacker use the access Token after grabbing it with an XSS attack?

Ozgur Sar
  • 2,067
  • 2
  • 11
  • 23

1 Answers1

1

There are several attacks that can be applied in order to access the server:

  1. Ip spoofing
  2. SSRF
  3. Ip validation vulnerabilities, think of the fact that you need to check ip, ip has many forms, ipv4, ipv6, hex, oct etc...
  4. Firewall / Reverse proxy exploits

Best practices are meant to avoid mistakes, follow them.

BTW, I always recommend this article to make sense of JTW auth. (I've changed my app implementation after I've read it :) )

felixmosh
  • 32,615
  • 9
  • 69
  • 88
  • Thank you for the detailed answer Felix. So, did you choose the access token / refresh token method with httponly cookies? – Ozgur Sar Nov 03 '20 at 09:33
  • 1
    Yes, think of this, it is has the benefits of all requirements. Silent access token refresh, not exploitable by xss (not stores in localStorage), short life of access token. – felixmosh Nov 03 '20 at 16:03
  • Thanks for the clarification. However, in that case as we will be using cookies, we need to implement some sort of CSRF protection for the backend right? – Ozgur Sar Nov 03 '20 at 16:07
  • 1
    Since there is only one end point which is actually relaying on cookies (the refresh-token end point), you can make it a post request and strict the cookie to be registered only on this path. – felixmosh Nov 03 '20 at 18:04
  • Thank you very much @felixmosh – Ozgur Sar Nov 03 '20 at 18:09