SPA – Single-Page Application

Posted on by tmack
Banner for Learning Computers post

Modern Web Architecture and Security

This was a new term for me as I started putting together my most recent study guide. SPA, which stands for Single-Page Application.  While it sounds like a simple website, an SPA represents a fundamental shift in how web applications function, bringing unique challenges to the world of information security.  Understanding SPAs is critical because they are the primary reason tools like PKCE and OIDC became industry standards.

What is a Single-Page Application?

In a traditional web application, every time you click a link, the browser requests a brand-new HTML page from the server. In an SPA, the browser loads a single shell of a page once. As you interact with the app, it dynamically updates the current page by fetching data from an API in the background.

  • Examples: Gmail, Facebook, or Slack.
  • The User Experience: It feels fast and fluid, much like a desktop or mobile app, because the page never “refreshes” in the traditional sense.

The Security Shift: From Server to Browser

The shift to SPAs moved the “intelligence” of the application from the secure, locked-down server to the user’s web browser.  This creates a specific set of security hurdles:

  1. No “Client Secret”: In traditional apps, the server can hide a password (client secret) to talk to an identity provider. In an SPA, any code you write is visible to the user via “View Source.” You cannot securely store a secret in a browser. This is why PKCE is mandatory for SPAs.
  2. Cross-Site Scripting (XSS): Because SPAs rely heavily on JavaScript to render data, they are prime targets for XSS attacks. If an attacker can inject malicious script, they can potentially steal tokens stored in the browser’s memory or local storage.
  3. Token Storage: Deciding where to store an OIDC ID Token or an OAuth Access Token in a browser (Local Storage vs. HttpOnly Cookies) is one of the most debated topics in modern web security.

Why You Need to Know This

When you are auditing a system or designing a security guide, identify if the front-end is an SPA. If it is, traditional “session-based” security often won’t work. You will need to ensure the developers are using Token-Based Authentication and implementing modern defenses like Content Security Policies (CSP) to mitigate the risks of running the entire application logic inside a user’s browser.