General Frontend Security

Framework-agnostic security practices for web applications based on OWASP guidelines.

When to Use This Skill

• Reviewing frontend code for security vulnerabilities
• Implementing client-side authentication flows
• Setting up secure cookie handling
• Configuring Content Security Policy
• Auditing third-party dependencies
• General frontend security questions

Skill Boundaries

Framework-Specific References

Key Principles

1. Never trust client-side validation – Server must always verify
2. Store tokens securely – Memory for access tokens, httpOnly cookies for refresh tokens
3. Prevent XSS – Never use innerHTML with user input; use textContent or DOMPurify
4. Protect against CSRF – Use CSRF tokens for state-changing requests + SameSite cookies
5. Configure CSP – Restrict script/style sources, use nonces, block framing
6. Minimize dependencies – Fewer deps = smaller attack surface; always run npm audit

Complete OWASP reference with code examples: owasp-reference.md

Security Checklist

Development

• No sensitive data in client-side code
• Environment variables separated (public vs private)
• Input validation on all user inputs
• XSS prevention (no innerHTML with user data)
• CSRF tokens for state-changing requests

Authentication

• Tokens stored securely (memory + httpOnly cookies)
• Token refresh mechanism implemented
• Proper logout (clear all client state)
• Session timeout configured

Configuration

• HTTPS enforced
• CSP headers configured
• Security headers set (X-Frame-Options, etc.)
• Cookies configured with secure flags
• CORS properly restricted

Dependencies

• npm audit clean (or accepted risks)
• package-lock.json committed
• SRI for external resources
• Regular dependency updates

Build & Deploy

• Debug mode disabled
• Console logs removed
• Source maps disabled or restricted
• Error messages generic (no stack traces)