Security measures (auth)
Authentication · Security measures
It is important to read the sections Why this shape and Reference example and production readiness on Authentication before relying on this page. They explain why the default BFF-centred pattern exists, how you can extend or replace it, and what the reference implementation does and does not promise for production.
This page is a quick map: defaults in the accelerator BFF for sessions and CSRF, plus optional controls (CSP, CIAM, throttling) you turn on per deployment. It is not a compliance or full threat-model checklist.
The listed safeguards are what the reference path implements; they are not a claim of best practice, maximum security, or fitness for production without your own risk and policy review. Read the section “Reference example and production readiness” on Authentication for that framing.
Shipped in the BFF
- Tokens in HTTP-only cookies — The BFF sets them; application JS cannot read the values (
token-storage.service.ts). - CSRF on mutations — Double-submit pattern with encrypted tokens (
csrf). - Encrypted/signed token cookies — JWS + JWE before storage; verify on read.
- Refresh interceptor — Refreshes access tokens when configured; clears session data when refresh fails (
token-refresh.interceptor.ts). - Logout — Revokes with the integration when possible, then clears tokens and cart/wishlist ID cookies (
auth.service.tslogout). - Cookie attributes —
secure,httpOnly, and SameSite come from shared constants (cookie.service.ts,config/constants/src/cookie.ts).
Recommended project-level hardening
- CSP on auth routes — See Content Security Policy (CSP). The accelerator does not enable document CSP by default.
- CIAM / IdP — Use when you need centralised identity, bot defence, or stronger policy than password grant at the BFF alone.
- Rate limiting — Optional BFF throttling; see Rate limiting.
- Input validation — Validate API bodies and queries in the BFF; see BFF validation.
Summary
| Area | Shipped | Often added |
|---|---|---|
| Session cookies | HTTP-only, encrypted | — |
| CSRF | Yes | — |
| Token refresh | Interceptor | — |
| CSP | No | Page headers / hosting |
| Identity product | Integration-specific | CIAM / OIDC |
| Abuse controls | Optional throttles | Tuning, WAF |