LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the security differences between traditional server-rendered web apps and modern SPA/API architectures?

Server-rendered apps mainly worry about CSRF (cookies auto-sent); SPA+API apps shift risk to XSS, token storage, and CORS, with a larger client-side attack surface.

Server-rendered (server builds HTML, session cookies, CSRF risk) vs SPA+API (client JS, JWT storage, XSS/token-theft/CORS).

* Server-rendered (CSRF-centric) versus SPA+API (XSS, token storage, CORS — a bigger client attack surface). *

Two fundamentally different security models:

Aspect Server-Rendered SPA + API
Rendering Server generates HTML Client-side JS renders UI
State Server-side sessions Often JWT tokens
Main risk CSRF (cookies sent automatically) XSS, token storage, CORS misconfig
Attack surface Smaller client-side Larger — more client code to audit
Auth Session cookies Every API endpoint needs auth/authz

SPA-specific challenges:

  • Token storage: localStorage vulnerable to XSS, cookies need proper flags (HttpOnly, Secure, SameSite)
  • CORS configuration: Often misconfigured, allowing unauthorized origins
  • DOM-based XSS: More client-side code means more XSS vectors

Modern architectures shift security complexity to both the client and the API layer.

Go deeper:

From Quiz: SPRG / Secure Architecture & Design | Updated: Jul 14, 2026