System Design Space
Knowledge graphSettings

Updated: June 22, 2026 at 5:59 AM

Frontend Application Security and the Browser Threat Model

medium

How to design frontend security through the browser threat model: XSS, CSRF, CSP, token storage, third-party code, BFF, and supply-chain risk.

The browser threat model is uncomfortable because frontend is both a user interface and an untrusted execution environment. You cannot simply 'rely on the backend': XSS, CSRF, token leakage, third-party scripts, and supply-chain risk all live directly on the client surface.

The chapter frames frontend security as an architecture of trust boundaries. It shows why CSP, cookie strategy, token storage choices, third-party isolation, and external-script policy should be as deliberate as API security or server-side data access.

For architecture reviews, it forces the browser to be seen not as a thin view layer, but as a public runtime under constant attacker pressure and product trade-offs.

Practical value of this chapter

Design in practice

Design browser boundaries explicitly: user input, rendering surfaces, token storage, API/BFF, and third-party code.

Decision quality

Evaluate choices through blast radius: what an attacker can do after XSS, token leakage, or third-party script compromise.

Interview articulation

Structure answers as untrusted runtime, asset, attack path, control, and residual risk.

Trade-off framing

Make the cost explicit: client convenience, session safety, CSP constraints, integration cost, and release speed.

Context

OWASP Top 10 in the context of System Design

The browser threat model is not a separate world; it is the client-side continuation of the same security assumptions and defaults.

Читать обзор

Frontend lives inside an untrusted execution environment you do not control: someone else's browser, its extensions, injected scripts, and any network conditions. So the client cannot be a safe place for trust logic, secret storage, or uncontrolled HTML rendering — whatever lands there is, in the worst case, already in an attacker's hands.

That is why frontend security starts not with a vulnerability checklist, but with a simple question: what trust boundaries actually exist inside the browser.

What follows pulls the browser threat model, user input, XSS, CSRF, CSP, third-party scripts, token storage, BFF, attack surface, and the frontend software supply chain into one architectural frame, not a scattered list of vulnerabilities.

Browser Threat Model Architecture Map

The diagram shows where trust boundaries appear in the browser: user input, application code, session state, API/BFF, and third-party code all need different controls.

Risk pathBrowserApp codeSessionAPI/BFFThird-party code

Where client trust ends

The browser is not a trusted boundary. Each boundary should explicitly limit what the client may store, execute, and send onward.

Runtime

Untrusted browser

The user, extensions, network, and local storage are outside the team's full control.

runs

Code

Application code

Client logic should treat inputs as untrusted and avoid keeping secrets in the browser.

reads

Session

Storage and session state

Cookies, tokens, and local data define blast radius during XSS or token leakage.

requests

Boundary

API or BFF

The server boundary verifies action, authorization, and request shape instead of trusting UI.

expands

Expansion

Third-party code

Widgets, analytics, and packages get only the access allowed by policy.

When to use this

  • A new external script, widget, or package is added.
  • The team needs to choose where token or session state lives.
  • Engineers debate which checks belong on the client versus the server.

Architecture meaning

The trust map keeps UI convenience separate from a safe boundary: the browser shows the scenario, but the server still makes the final decision.

Main threat classes in the browser

XSS and script injection

The most painful class of frontend risk: user-controlled HTML, unsafe markdown rendering, third-party widgets, and DOM-based sinks can quickly turn UI into a token and action hijack surface.

CSRF, session fixation, and browser trust assumptions

Even when auth is implemented on the server, frontend still needs to understand how cookies, same-site policy, redirect flows, and anti-replay assumptions behave in the browser.

Token storage and the illusion of client secrets

Treat any long-lived token in browser storage as already leaked: one XSS and it is in an attacker's hands. localStorage and embedded config look like a vault, but nothing stops another script from reading them.

Supply chain and third-party scripts

Every external script runs with the same privileges as your own code. Analytics, chat widgets, A/B tooling, CDN-hosted libraries, and browser extensions expand the attack surface exactly as much as you trust them. This is part of the threat model, not just part of marketing integration.

Protection layers

CSP and script-source limitation

CSP does not solve every problem, but it sharply reduces the cost of accidental XSS. Nonce or hash strategy, banning inline scripts, and controlling third-party domains are especially important.

Safer auth boundaries

Session cookies, PKCE, short-lived tokens, refresh rotation, and backend-for-frontend are often safer than large bearer tokens scattered through client code.

Escaping and typed rendering surfaces

Every path that renders HTML, markdown, template fragments, or dangerously-set markup is a separate boundary someone has to review, each with its own explicit sanitization policy. A boundary you missed stays silent until someone else's script reaches it.

Dependency hygiene and provenance

Lockfiles, dependency review, artifact integrity, and limiting package sprawl matter to frontend no less than to backend services.

Security review questions

  • Which data do we treat as trusted in the browser and what is that trust based on?
  • Can arbitrary script execution happen through content paths, markdown, WYSIWYG, or third-party snippets?
  • Which client-side tokens or session artifacts create too large a blast radius if compromised?
  • How quickly can we disable an unsafe external integration or flag without a full product rollback?

Faulty intuition

Treating frontend as a thin view layer and skipping separate threat modeling for browser-side flows. That is exactly how XSS sinks, weak third-party integrations, and risky token-storage decisions stay invisible for too long.

Maturity signal

In a mature frontend product, browser security rests not on a heroic reviewer but on safe defaults: controlled rendering surfaces, minimal token exposure, a strict script policy, and the ability to disable an unsafe integration in minutes, not in a release.

Related chapters

Enable tracking in Settings