Other cases

Traditional Website

A "traditional" website relies on reloading pages, not using AJAX.

We provide best practise recommendations in this case.

• no AJAX: all conversation is by reload
• refresh page does not trigger log in
• developers should use their own sessions so tokens stay in backend
• avoid cookies where possible; use HTTP Only cookies when not
• use CSRF protection (required because you have cookies)
• ensure the correct CORS settings
  • especially, do not use origin=* and allowcredentials=true

Hybrid apps

There are many ways to put the different pieces of web design together, so we cannot speak to them individually. 

• Where relevant, follow the recommendations given in other parts of the page
• Be very concerned about security, especially when configuring CORS and PKCE as required.
• Use standard frameworks whereever available
• Make sure your approach is well-documented. 

See also 

• The OAuth 2.0 Authorization Framework RFC 6749
• https://datatracker.ietf.org/doc/html/rfc6750#section-5.3 provides general recommendations.
• More on CSRF:
  • https://security.stackexchange.com/questions/166724/should-i-use-csrf-protection-on-rest-api-endpoints/166798#166798 
  • This stack overflow page provides a good explanation of the evil that CSRF tokens are trying to avoid, and also why you don't want Access-Control-Allow-Origin: *
  • https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
  • https://security.stackexchange.com/questions/23371/csrf-protection-with-custom-headers-and-without-validating-token
• On CORS:
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
  • flowchart: https://www.html5rocks.com/static/images/cors_server_flowchart.png