Security Issues with App-only policy

Question

I have been working on a lot of applications with app-only policy and just wanted to make sure that I am not overlooking any security vulnerability. Below is a sample scenario for discussion:

1. Provider hosted Add-in with Contribute permissions and app-only configured.
2. Add-in has a page which reads data using App-only policy.

Now users who use this app do not have any permission on the SharePoint site. But can the user somehow hijack the App-only token in the browser and use REST calls to delete or edit items in the host web?

I see from this post that App-Only calls can be used in REST calls in c#.

Answer 1

You just need to follow simple rules regarding tokens to make sure your security is good.

1. Never share ClientSecret (.pfx file for high-trust). That means do not transmit to the browser, do not store in javascript, cookies, browser session (local) storage. ClientId in opposite is public information and can be shared without issues.

2. Never share app-only access tokens. The same as for ClientSecret - do not transmit and do not store in javascript.

That means all operations with app-only tokens should be done on the server side only, tokens should not to be shared in any mean to the browser.

Side note regarding user+app access tokens. These tokens can be shared under certain circumstances (like adal.js does it), but sharing user access token opens potential vulnerability (access token can be stolen by smart hacker). In case of storing user access token on client side you need to care about additional security - https only, prevent csrf and xss attacks.