How to mitigates Cross-Site Scripting (XSS) Attacks using msal-browser and msal-angular on production?

Khajo Elias 20 Reputation points
2023-12-20T14:46:41.1133333+00:00

Implementing a login solution using the Microsoft Identity Provider with OpenID Connect (OIDC).

  1. Is it safe to use the msal-browser and msal-angular libraries in an Angular application on production?
  2. How can Cross-Site Scripting (XSS) Attacks be mitigated? Is it possible to configure the system to only accept JWT tokens with the HttpOnly attribute?
.NET
.NET
Microsoft Technologies based on the .NET software framework.
3,383 questions
ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,175 questions
ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,261 questions
0 comments
Accepted answer
  1. hossein jalilian 2,835 Reputation points
    2024-02-02T03:14:45.6166667+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    1- Utilizing the msal-browser and msal-angular libraries in a production-grade Angular application is generally deemed secure, provided that you diligently stay updated with the latest versions, strictly adhere to security best practices during implementation, configure the libraries accurately in accordance with your security requirements, and ensure secure communication between your application and the identity provider through HTTPS.

    2- Adopting a comprehensive security approach is crucial, recognizing that while configuring JWT tokens with the HttpOnly attribute is not applicable (typically reserved for cookies), various essential measures can be implemented. These include thorough validation and sanitization of user inputs on both client and server sides, implementing a Content Security Policy to restrict unauthorized sources for scripts and styles, ensuring the HttpOnly attribute for authentication cookies, serving the application exclusively over HTTPS, leveraging frameworks like Angular with inherent protection against XSS attacks, and configuring appropriate token lifetimes to minimize the risk of security vulnerabilities.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce (SqlWork.com) 56,286 Reputation points
    2024-04-17T22:42:51.8566667+00:00

    the HttpOnly cookie attribute is set when the server sends the cookie to the browser. the browser does not send any of the attributes (HttpOnly, expire, etc) back to the server, only the cookie name and value. the server creating the cookie must be configured correctly.

    0 comments