DEV Community

Cover image for Broken Authentication in React.js: Fix It Fast
Pentest Testing Corp
Pentest Testing Corp

Posted on

Broken Authentication in React.js: Fix It Fast

Why Broken Authentication Happens in React

React runs in the browser, so anything you store or trust on the client can be stolen, forged, or replayed. Common pitfalls:

  • Tokens in localStorage (easy XSS loot)
  • No rate-limiting or MFA on login
  • Weak session cookie flags (no HttpOnly, Secure, SameSite)
  • DIY route guards that never verify on the server

👉 Use server-side sessions (or hardened JWT), HttpOnly cookies, MFA, and server verification.

Broken Authentication in React.js: Fix It Fast


Bad vs Good: Quick Code Diffs

❌ Anti-pattern: store JWT in localStorage

// Attacker with XSS can exfiltrate this
localStorage.setItem('token', jwt);
Enter fullscreen mode Exit fullscreen mode

✅ Prefer HttpOnly session cookies

// React login: cookie managed by browser, not JS
await fetch('/api/login', {
  method: 'POST',
  credentials: 'include',
  headers: {'Content-Type': 'application/json'},
  body: JSON.stringify({ email, password })
});
Enter fullscreen mode Exit fullscreen mode

Server: set a hardened session cookie

// Node/Express example
res.cookie('sid', sessionId, {
  httpOnly: true,
  secure: true,
  sameSite: 'lax',   // or 'strict' for tighter flows
  path: '/',
  maxAge: 60 * 60 * 1000
});
Enter fullscreen mode Exit fullscreen mode

Protect routes with a real server check

// React route guard that verifies on the server
useEffect(() => {
  fetch('/api/me', { credentials: 'include' })
    .then(r => r.ok ? setAuthed(true) : navigate('/login'));
}, []);
Enter fullscreen mode Exit fullscreen mode

Throttle brute force & credential stuffing

// Express: simple rate limit on login
import rateLimit from 'express-rate-limit';
app.post('/api/login',
  rateLimit({ windowMs: 15*60*1000, max: 10 }),
  loginHandler
);
Enter fullscreen mode Exit fullscreen mode

Minimal Secure Auth Checklist (React + API)

  • [ ] HttpOnly, Secure, SameSite cookies for sessions
  • [ ] MFA/2FA for risky actions and logins
  • [ ] Rate limiting + IP/device fingerprint checks
  • [ ] Short-lived sessions + rotation on privilege change
  • [ ] CSRF protection (cookies + SameSite, or CSRF token for unsafe methods)
  • [ ] Server-side authorization on every API call

Screenshot of our Website Vulnerability Scanner homepage

Screenshot of the free tools webpage where you can access security assessment tools.Screenshot of the free tools webpage where you can access security assessment tools.

Try It on Your Project (Free)

Scan your site with our Free Website Vulnerability Scanner to catch auth weaknesses early:
➡️ https://free.pentesttesting.com/

Sample Assessment Report by the tool to check Website Vulnerability

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.


Deep Dives & How-Tos


Related Services (Pick What You Need)

Managed IT Services

Harden identity, patching, device control, and IAM policies so broken auth doesn’t creep back in.
https://www.pentesttesting.com/managed-it-services/

AI Application Cybersecurity

Threat-model AI flows (tokens, model gateways, webhooks) and secure auth around ML features.
https://www.pentesttesting.com/ai-application-cybersecurity/

Offer Cybersecurity to Your Clients

Agencies/MSPs: white-label assessments and remediation, including auth hardening playbooks.
https://www.pentesttesting.com/offer-cybersecurity-service-to-your-client/

Stay Updated

Subscribe on LinkedIn https://www.linkedin.com/build-relation/newsletter-follow?entityUrn=7327563980778995713


Copy-Paste Snippet: Secure Fetch Wrapper (Bonus)

// Reuse across your app to always send cookies
export const api = (url, opts={}) =>
  fetch(url, {
    credentials: 'include',
    headers: { 'Content-Type': 'application/json', ...(opts.headers||{}) },
    ...opts
  });
Enter fullscreen mode Exit fullscreen mode

Top comments (0)