Client-Side Threats in SPAs: Modeling Security Risks in Popular JavaScript Framework

Abstract

Single Page Applications (SPAs) have reshaped web development by improving responsiveness and interactivity, but the shift of application logic and data handling to the client side has introduced security challenges that traditional server-centric models do not adequately address. This study proposes and validates a threat model specifically designed for SPAs, focusing on two widely adopted JavaScript frameworks, React and Vue.js. Two prototype applications with equivalent functionality were developed and evaluated using a modified STRIDE methodology, combining static analysis tools (ESLint, SonarQube, Snyk), dynamic testing tools (OWASP ZAP, Burp Suite), and manual inspection of client-side code and runtime behavior. The analysis identified common vulnerabilities across both frameworks, including DOM-based XSS, insecure token storage, broken route guards, and exposed API endpoints. React showed higher risk when unsafe rendering practices such as dangerously SetInnerHTML were used, while Vue’s vulnerabilities were linked to insecure use of v-html and un validated dynamic imports. Mitigation strategies, including input sanitization, Http Only cookie-based token storage, Content Security Policy (CSP), and strict route guards, significantly reduced vulnerabilities. This work delivers a structured SPA-specific threat model and reproducible methodology, providing developers and security practitioners with actionable guidance for building more secure client-side applications.