Why Broken Authentication Happens in React
React runs in the browser, so anything you store or trust on the client can be stolen, forged, or replayed. Common pitfalls:
- Tokens in
localStorage
(easy XSS loot) - No rate-limiting or MFA on login
- Weak session cookie flags (no
HttpOnly
,Secure
,SameSite
) - DIY route guards that never verify on the server
👉 Use server-side sessions (or hardened JWT), HttpOnly
cookies, MFA, and server verification.
Bad vs Good: Quick Code Diffs
❌ Anti-pattern: store JWT in localStorage
// Attacker with XSS can exfiltrate this
localStorage.setItem('token', jwt);
✅ Prefer HttpOnly session cookies
// React login: cookie managed by browser, not JS
await fetch('/api/login', {
method: 'POST',
credentials: 'include',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({ email, password })
});
Server: set a hardened session cookie
// Node/Express example
res.cookie('sid', sessionId, {
httpOnly: true,
secure: true,
sameSite: 'lax', // or 'strict' for tighter flows
path: '/',
maxAge: 60 * 60 * 1000
});
Protect routes with a real server check
// React route guard that verifies on the server
useEffect(() => {
fetch('/api/me', { credentials: 'include' })
.then(r => r.ok ? setAuthed(true) : navigate('/login'));
}, []);
Throttle brute force & credential stuffing
// Express: simple rate limit on login
import rateLimit from 'express-rate-limit';
app.post('/api/login',
rateLimit({ windowMs: 15*60*1000, max: 10 }),
loginHandler
);
Minimal Secure Auth Checklist (React + API)
- [ ]
HttpOnly
,Secure
,SameSite
cookies for sessions - [ ] MFA/2FA for risky actions and logins
- [ ] Rate limiting + IP/device fingerprint checks
- [ ] Short-lived sessions + rotation on privilege change
- [ ] CSRF protection (cookies + SameSite, or CSRF token for unsafe methods)
- [ ] Server-side authorization on every API call
Screenshot of our Website Vulnerability Scanner homepage
Screenshot of the free tools webpage where you can access security assessment tools.
Try It on Your Project (Free)
Scan your site with our Free Website Vulnerability Scanner to catch auth weaknesses early:
➡️ https://free.pentesttesting.com/
Sample Assessment Report by the tool to check Website Vulnerability
Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.
Deep Dives & How-Tos
- Browse hands-on guides and case studies on our blog: https://www.pentesttesting.com/blog/
Related Services (Pick What You Need)
Managed IT Services
Harden identity, patching, device control, and IAM policies so broken auth doesn’t creep back in.
https://www.pentesttesting.com/managed-it-services/
AI Application Cybersecurity
Threat-model AI flows (tokens, model gateways, webhooks) and secure auth around ML features.
https://www.pentesttesting.com/ai-application-cybersecurity/
Offer Cybersecurity to Your Clients
Agencies/MSPs: white-label assessments and remediation, including auth hardening playbooks.
https://www.pentesttesting.com/offer-cybersecurity-service-to-your-client/
Stay Updated
Subscribe on LinkedIn https://www.linkedin.com/build-relation/newsletter-follow?entityUrn=7327563980778995713
Copy-Paste Snippet: Secure Fetch Wrapper (Bonus)
// Reuse across your app to always send cookies
export const api = (url, opts={}) =>
fetch(url, {
credentials: 'include',
headers: { 'Content-Type': 'application/json', ...(opts.headers||{}) },
...opts
});
Top comments (0)