Frontend Security Checklist

XSS, secrets in client bundles, third-party scripts, and open redirects are frontend bugs — catch them before they ship.

01 — Purpose

Security is a frontend deliverable

XSS, leaked secrets, and reckless third-party scripts are frontend bugs — not someone else's problem after deploy.

Use this checklist on user-facing changes — forms, auth flows, embeds, and anything that touches URLs, HTML, or client-side storage. Pair with code review checklists when markup and JavaScript change together.

02 — Markup

XSS and unsafe HTML

If user input or CMS content reaches the DOM unsanitised, you have a vulnerability.

  • no innerHTML, document.write, or insertAdjacentHTML with untrusted strings
  • framework escape rules understood — no set:html or dangerouslySetInnerHTML without a sanitiser
  • URL parameters and hash fragments not written into the page without encoding
  • user-generated content sanitised server-side — client validation is not enough
  • SVG uploads and rich HTML from editors treated as untrusted input

03 — Scripts

Third-party scripts and supply chain

Every tag you add is code you did not write running in your users' browsers.

  • new third-party scripts justified — analytics, chat, ads, A/B tools
  • scripts loaded only after consent where regulations require it
  • Subresource Integrity used for CDN scripts when versions are pinned
  • dependencies reviewed — known vulnerabilities checked; unused packages removed
  • npm lockfile committed; unexpected postinstall scripts investigated

04 — Headers

CSP and security headers

Headers are enforced by the browser — coordinate with platform or backend owners.

  • Content-Security-Policy considered — restrict script sources to what you need
  • inline scripts avoided or nonced/hashed if CSP requires it
  • frame-ancestors set where clickjacking is a risk
  • cookies use Secure, HttpOnly, and SameSite appropriately — session cookies not in localStorage

05 — Secrets

Secrets and client exposure

The client bundle is public — assume attackers can read everything in it.

  • no API keys, private tokens, or shared secrets in frontend source or env exposed to the client
  • auth tokens not logged to console or analytics
  • sensitive data not stored in localStorage without encryption and a threat model
  • error messages do not leak stack traces, SQL, or internal paths to users

06 — Navigation

Links, redirects, and postMessage

Open redirects and loose postMessage handlers are classic frontend footguns.

  • redirect targets validated — no open redirects via ?next= without an allowlist
  • external links use rel="noopener noreferrer" when opening new tabs with target="_blank"
  • postMessage handlers verify event.origin and message shape
  • javascript: URLs not used in links or redirects

07 — Sign-off

Before you approve

Security review is cheaper in a pull request than in an incident report.

  • auth and account flows tested — logout clears session; back button does not expose protected views
  • file uploads restricted by type and size; filenames not echoed unsafely
  • release readiness checklist considered for high-risk releases