Thanks for posting your question in the Microsoft Q&A forum.
1- Utilizing the msal-browser
and msal-angular
libraries in a production-grade Angular application is generally deemed secure, provided that you diligently stay updated with the latest versions, strictly adhere to security best practices during implementation, configure the libraries accurately in accordance with your security requirements, and ensure secure communication between your application and the identity provider through HTTPS.
2- Adopting a comprehensive security approach is crucial, recognizing that while configuring JWT tokens with the HttpOnly
attribute is not applicable (typically reserved for cookies), various essential measures can be implemented. These include thorough validation and sanitization of user inputs on both client and server sides, implementing a Content Security Policy to restrict unauthorized sources for scripts and styles, ensuring the HttpOnly
attribute for authentication cookies, serving the application exclusively over HTTPS, leveraging frameworks like Angular with inherent protection against XSS attacks, and configuring appropriate token lifetimes to minimize the risk of security vulnerabilities.
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful