Backend-for-Frontend: The most secure architecture for browser-based apps
Blog post from FusionAuth
In September 2025, a significant supply chain attack compromised popular npm packages, leading to potential cryptocurrency theft and highlighting vulnerabilities in JavaScript applications regarding token storage. This incident underscores the importance of secure authentication practices, particularly for applications handling sensitive data. The OAuth 2.0 for Browser-Based Applications draft outlines three architecture patterns to manage authentication, with the Backend-for-Frontend (BFF) pattern emerging as the most secure, as it keeps tokens on the server side, away from the browser's reach. BFF architecture treats the browser as a hostile environment, ensuring that tokens are never exposed to potentially compromised JavaScript by using a backend to manage OAuth tokens securely. This method involves storing tokens on the server and using httpOnly cookies to manage sessions, thereby protecting against various attacks such as token theft and cross-site scripting. Although implementing BFF can add complexity and potential latency, it provides significant security benefits, making it a crucial consideration for applications that handle sensitive data. The use of BFF also facilitates centralized logging, monitoring, and easier integration with legacy systems, making it appealing beyond its security advantages. FusionAuth offers a Hosted Backend to simplify the implementation of this architecture, allowing developers to focus on building applications without worrying about underlying security concerns. The decision to adopt BFF should be guided by the sensitivity of the data handled, compliance requirements, and the control over backend operations.
| Trend | Post Mentions | Total Month Mentions | Posts | Companies | MoM |
|---|---|---|---|---|---|
| Secrets Management | 2 | 1,821 | 338 | 111 | +22% |