🧪 Worked Example Lab: Frontend Session Review

Intro: This lab helps engineers practice reviewing browser authority, not just reading a cookie checklist. The goal is to recognize when the browser is carrying more trust than the product intended.

What this page includes

• a short frontend auth scenario
• reviewer prompts
• model findings and recommendations
• simple scoring guidance

Scenario

A new Next.js application stores a long-lived access token in localStorage so the SPA can call the API directly. The team also added a broad script-src https: 'unsafe-inline' CSP to accommodate analytics and support widgets.

Reviewer prompts

• What authority lives in the browser now?
• What happens if XSS lands on a privileged page?
• Is the CSP helping enough to compensate for the browser-held token?
• Would a BFF or cookie-based session reduce risk meaningfully?

Model findings

1. Long-lived token exposure increases replay and XSS impact.
2. Broad CSP weakens the control model and raises third-party script risk.
3. The direct-browser-to-API design may expose more authority than the product needs.
4. Privileged pages should likely move toward a BFF or tighter session model.

Better pattern

Move high-value upstream calls through a BFF where practical, keep session material out of broadly readable browser storage, tighten CSP, and reduce third-party script exposure on sensitive pages.

Related pages

• Frontend Security Review Playbook
• OAuth for SPA, BFF, and Frontend Secret Anti-Patterns

Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.