Quiz Entry - updated: 2026.07.14
What are the security differences between traditional server-rendered web apps and modern SPA/API architectures?
Server-rendered apps mainly worry about CSRF (cookies auto-sent); SPA+API apps shift risk to XSS, token storage, and CORS, with a larger client-side attack surface.
* Server-rendered (CSRF-centric) versus SPA+API (XSS, token storage, CORS — a bigger client attack surface). *
Two fundamentally different security models:
| Aspect | Server-Rendered | SPA + API |
|---|---|---|
| Rendering | Server generates HTML | Client-side JS renders UI |
| State | Server-side sessions | Often JWT tokens |
| Main risk | CSRF (cookies sent automatically) | XSS, token storage, CORS misconfig |
| Attack surface | Smaller client-side | Larger — more client code to audit |
| Auth | Session cookies | Every API endpoint needs auth/authz |
SPA-specific challenges:
- Token storage: localStorage vulnerable to XSS, cookies need proper flags (HttpOnly, Secure, SameSite)
- CORS configuration: Often misconfigured, allowing unauthorized origins
- DOM-based XSS: More client-side code means more XSS vectors
Modern architectures shift security complexity to both the client and the API layer.
Go deeper:
OWASP CSRF Prevention Cheat Sheet — tokens, SameSite, and why XSS defeats CSRF defenses.
MDN — Cross-Origin Resource Sharing (CORS) — how CORS works and why a wildcard origin is dangerous for a SPA's API.
Wikipedia — Single-page application — how a SPA renders client-side and pulls data from a backend API.