I am creating a web application that will be handling sensitive data. The application is implemented as a Spring Boot RESTful API, so that different flexible clients can be created around it. Right now the planned consumers are a web client, followed by native Android and iOs clients.
I am considering the following methodology to secure a WebApp that will be handling sensitive data: http://www.redotheweb.com/2015/11/09/api-security.html
Let me summarize the approach outlined in this article:
- There are two methods of security for a Browser-based client to use: session cookies and temporary tokens saved in local storage.
- Session cookies are vulnerable to CSRF attacks, while Temporary tokens are vulnerable to XSS.
- The solution is to use both as it would drastically reduce the risk of both attacks.
Part of me feels like this approach is overkill, but I am working on an app that may need to be considered for HIPAA compliance in the future so I feel like more is more in this case.
Is this the "industry standard" approach for this type of security configuration? I see that this was posted over a year ago and am unsure if an update has been made. Also, does this approach have a name?
Is this type of security configuration available OOTB with Spring Boot?
How would an approach like this translate to non-browser consumers (such as an Android app)? At that point the use of local storage is avoided so we would not need to use the session cookie, but can we configure Spring to use specific rules for native clients?