<radosvet.dev/>

Frontend Security: A Practical Guide

#security #frontend #best-practices #career
Fri, 6 June 2025 - 4 min read
A wooden door with a padlock.

The Hidden Traps of Frontend Security

Imagine you’re a knight guarding a castle. You’ve got thick stone walls, a massive drawbridge, and archers on every tower. But what if the enemy isn’t trying to breach the front gate? What if they’ve found a tiny, forgotten crack in the wall, just big enough for them to slip through? This is often how frontend security works. We spend our time defending against the big, obvious threats, but the most dangerous vulnerabilities are the ones we don’t even see.

I’ve seen it happen. A huge security hole can appear not because of a sophisticated attack, but from a simple mistake in a config file. The scariest part is that the code itself might look perfect, but a forgotten setting in a .env file or a misconfigured middleware can leave the front door wide open.

This is why, as frontend developers, we have a shared responsibility to understand and protect our users. Security is not just a backend problem; it is everyone’s problem.

The Dangers in Plain Sight

A huge number of vulnerabilities come from common, everyday oversights. Being aware of these simple things is often the most important part of our job.

Problem 1: Vulnerable Packages

You’ve just found a great NPM package, it doesn’t have a lot of downloads, the last update was 2 years ago, but still saves you hours of work. Just remember that every package you install is code you are now responsible for. You’ll need to maintain the latest versions of that package, you’ll need to spend time fixing the next major version broken APIs and so on.

  1. Check the Downloads: A package with few downloads might be new or not well-maintained. This doesn’t mean it’s bad, but it means you need to be more careful.
  2. Look for Known Vulnerabilities: Before installing, a quick check with a tool like Snyk or by running npm audit can tell you if a package has any known security issues.
  3. Be Smart with Your Dependencies: Every package is a potential entry point for an attacker. Only install what you actually need. Less might be better.

Problem 2: Leaking User Data

Personally Identifiable Information (PII) is any data that can identify a specific person. This includes names, emails, addresses, phone numbers and so on. As frontend developers, we have to be extremely careful with it.

One common mistake is sending PII to a third-party service, like an analytics tool. Imagine you’re using a tool to track user behaviour. You might accidentally send a user’s email address as part of an event name or a custom property. This data is then no longer in your control.

Think about it in this way, if you control the data you can delete it, update it, do whatever you like, but if it goes out, you don’t have any guarantee that data will be safe. Always review what data you are sending to third-party services and ensure it does not contain any PII.

Problem 3: URLs and Query Parameters

URLs seem harmless, but they can be a source of vulnerabilities.

Imagine your app uses a URL parameter to show a user a message, for example: https://myapp.com/success?message=Your%20account%20has%20been%20created.

What happens if an attacker changes the URL to include a malicious script? https://myapp.com/success?message=<script>alert('You have been hacked!')</script>. If you just take that message from the URL and put it directly on the page, the browser will run the script. Always, always, clean or encode URL parameters before using them in the UI.

Problem 4: Client-Side Storage

It is a common practice for developers to use localStorage for easy data storage, but it is not a safe place for private data. It is vulnerable to XSS attacks and does not expire. Session tokens, for example, should be stored in HttpOnly cookies, which JavaScript cannot access.

Conclusion: Security Is a Shared Responsibility

Think of building a strong body. The most impressive things are the flashy moves - the heavy lifts, the complex routines. But anyone who knows anything about fitness will tell you that the real strength comes from your core. It’s the unglamorous, foundational work - proper form, warm-ups, and strengthening your core muscles - that prevents injury and allows you to do everything else safely. A truly robust product, and a truly great developer, cares about building a strong foundation.

By understanding these simple, everyday security issues, you’re not just writing better code, you are building safer experiences and earning your users’ trust. It is a foundational skill that separates a good developer from a great one, and it is something every hiring manager should be looking for.

Security is not a feature you add later. It is an integral part of the development process that starts with the very first line of code.

Join my newsletter

Subscribe to get updates on new blog posts, useful frontend tips and ideas you can apply in your own work.