Security for everyone
Homepage Blog
How To
Whitepapers
 Login Join
For Companies
Hardening

5 Essential Security Practices for Hardening React Applications

SecurityForEveryone

S4E.io

12/Feb/25

React applications are integral to modern web development, but their security must not be overlooked. Implementing robust security measures ensures your app is resilient against common vulnerabilities. Below are five critical practices to secure your React application:

1- Protection Against Zip Slip Attacks

React applications can be vulnerable to zip slip attacks, especially if users are allowed to upload files. Without proper configurations, such vulnerabilities can expose sensitive data or trigger directory traversal attacks.

To mitigate these risks:

  • Avoid accepting archive file types (e.g., .zip) by default. A blacklist approach can be helpful.
  • When feasible, implement a whitelist approach to only accept specific file types, such as .jpeg.
  • Always validate and sanitize uploaded files to prevent malicious payloads.

2- Defending Against XSS Attacks

There are xss vulnerabilities in older versions of React.The fact that there is no known xss vulnerability in the current version only means that if you are using a vulnerable version of this library, you are at risk even if you have written code in the safest way.But if you are using the safest version, you are definitely at risk if the configuration of the interaction of the javascript functions you use on the dom with the user is wrong.

Best practices to prevent XSS in React:

  • Understand how JSX and React.createElement render data to the DOM.
  • dangerouslySetInnerHTML, understand why it is named that way and consequently try to avoid it if possible. If you must use it, double-check that you avoid everything you pass to it.
  • Perform data sanitization before rendering in the DOM using the “DOMPurify” library
import purify from "dompurify";

<div 
    dangerouslySetInnerHTML={{ 
        __html: purify.sanitize(data) 
    }} 
/>
  • URLs may contain dynamic script content. Therefore, always validate the URL to ensure that the links are http: or https: to avoid javascript: URL-based scripting. Use the native URL parsing function to validate the URL and match the parsed protocol property to the allowed list.
function isValidUrl(url) {
    const parsed = new URL(url);
    return ['https:', 'http:'].includes(parsed.protocol);
}

<a href={isValidUrl(url) ? url : '#'}>Click here!</a>

3- Avoiding JSON Injection Attacks

JSON data, when paired with server-side rendered responses, can be exploited for injection attacks.

To reduce the risk:

  • Replace special characters such as < with their Unicode equivalents before rendering data in the DOM.
window.PRELOADED_STATE = 
${JSON.stringify(preloadedState)
  .replace(/</g, "\\u003c")
  .replace(/>/g, "\\u003e") }
  .replace(/</g, "\\u003c");

4- Input Validation for Enhanced Security

Every form of user input poses a potential risk if not properly validated. Whether it’s a text field, URL, or uploaded file, treat all inputs as potentially malicious.

Key tips include:

  • Use libraries like validator.js for robust input validation.
  • Apply strict validation rules for fields like URLs, emails, and phone numbers.
  • Escape any dynamic content rendered in the DOM.

5- Keep Dependencies Updated

Outdated libraries can expose your application to known vulnerabilities. Regularly updating React and its associated dependencies ensures your project stays secure. Use tools like npm audit or yarn audit to identify and resolve potential security issues promptly.

What is Reactjs ?

React is a JavaScript library developed by Facebook. It is used for building web applications and user interfaces (UI). React has a component-based structure, meaning that it allows you to design and manage different parts of the application (components) independently.

Its main features are:

  • Component Based Structure: Divides the UI into small, independent components. Each component manages its own state and behavior.
  • Virtual DOM: Improves the performance of the application by using a virtual DOM that is faster than the real DOM. In this way, only the changed components are updated, the whole page is not re-rendered.
  • Unidirectional Data Flow: Data flows unidirectionally between components, making it easier to understand the flow of data and how to update components.
  • JSX: Allows you to define your components using JSX, an HTML-like syntax inside JavaScript code. JSX makes the conversion from JavaScript to HTML more straightforward.

Vulnerabilities in React

  • React is a JavaScript library primarily used for building user interfaces, and it has relatively few known vulnerabilities.
  • A comprehensive list of vulnerabilities found in React can be accessed through Snyk’s React Security Advisory.
Table highlighting cross-site scripting (XSS) vulnerabilities in React, categorized as high and medium severity. The table lists vulnerable versions, such as >=0.0.1 <0.14.0 and >=0.5.0 <0.5.2, emphasizing the importance of securing software to prevent attacks.
  • Even if React itself is secure, improper configurations can expose your application to risks, such as integrating outdated libraries or misusing features like dangerouslySetInnerHTML.
  • While third-party library vulnerabilities may not be your fault, how you configure and use them is your responsibility. Misconfigurations can lead to backdoors or other security issues.

Related posts:

  1. 7 Important Steps For Hardening Nginx
  2. 9 Essential Steps for Hardening Laravel
  3. 8 Important Steps for Hardening Apache2 Configuration
  4. Hardening Toastr Notifications: A Guide to Safe Implementation
cyber security services for everyone one. Free security tools, continuous vulnerability scanning and many more.
Try it yourself,
control security posture