Modern Web Architecture Threats

Single-page applications (SPAs) shift significant functionality to the client, creating new threat patterns. Client-side routing might expose administrative interfaces that lack server-side protection. State management in the browser could leak sensitive information. API calls from the browser reveal internal API structures. Heavy client-side logic increases the attack surface for tampering. Threat modeling SPAs requires analyzing both client and server components and their interactions.

Progressive web applications (PWAs) introduce offline capabilities that create additional threats. Service workers intercept all requests, potentially capturing sensitive data. Cache poisoning could serve malicious content even after the server is fixed. Push notifications might be abused for phishing. Background sync could exfiltrate data without user awareness. These powerful features require careful threat analysis to implement securely.

WebAssembly enables near-native performance but complicates security analysis. Traditional JavaScript security tools can't analyze WebAssembly modules. Memory corruption vulnerabilities thought left behind with web technologies return. Cryptographic operations in WebAssembly might be vulnerable to timing attacks. The opacity of compiled code makes threat modeling more challenging, requiring trust in development toolchains.

Jamstack architectures with static site generation and serverless functions create different threat patterns. The attack surface shifts from traditional web servers to build processes and function endpoints. Supply chain attacks on build tools could compromise static sites. Serverless functions might lack traditional security controls. CDN poisoning could serve malicious content globally. These architectural shifts require corresponding threat model adaptations.