Skip to main content

Security and Privacy Hub

Use this hub when

  • a route handles account, billing, health, finance, or identity data
  • third-party scripts, analytics, attribution, or replay are introduced
  • raw HTML, user-generated content, or generated UI is rendered
  • auth/session behavior changes
  • browser storage contains sensitive data

Reading path

StepRead
Foundationpart-0/security-for-frontend-engineers, part-viii/browser-attack-surface-architecture
Browser controlspart-viii/security-architecture-csp-trusted-types, part-viii/auth-session-browser-architecture
Privacypart-viii/privacy-measurement-attribution-architecture, part-viii/compliance-privacy-auditability
Reviewreview-packets/client-side-security-privacy-review-packet, review-packets/security-reliability-review-packet
Examplespart-xii/completed-examples/completed-client-side-security-privacy-review, part-xii/completed-examples/completed-third-party-script-register
Capstonecapstones/capstone-secure-reliable-account-portal, capstones/solution-packs/capstone-solution-pack-secure-account-portal

Artifacts to produce

  • browser threat model
  • sensitive data-flow map
  • third-party script register
  • CSP rollout plan
  • storage and retention decision
  • incident runbook

Review prompts

  • What attacker-controlled input reaches browser sinks?
  • What sensitive data reaches HTML, JS, URLs, storage, logs, analytics, or replay?
  • Which third parties run, and who can disable them?
  • Which controls are server-enforced rather than UI-only?

Source lens

Use OWASP client-side risk guidance, MDN browser security/privacy documentation, and the guide's Part VIII chapters for architecture controls.