What are (if any) the security drawbacks of REST Basic Authentication with Javascript clients?

Question

I have this application that consists of a REST back-end intended to servicing requests from an HTML5/JavaScript client (which I\'m also building).

I\'m planning on

Answer 1

Basic authentication is really basic ;-) You don't really control the session, ... Here is a link about a more advanced approach (token-based authentication) for RESTful services: https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/.

Otherwise I agree with the previous Robert's answer that we need to be very careful when storing credentials in the client side (XSS attacks).

The problem with cookies is that your client needs to be a browser to leverage this feature transparently... If it's the case, you can leverage this. If you're opened to any REST clients, it could be a problem since clients need to handle cookies manually. Moreover it's really not the better approach for authentication within RESTful services ;-)

I don't really see other approaches (exception of cookies) to implement authentication in SPA in a convenient and flexible way. Notice that JavaScript frameworks like Angular provided supports to prevent from XSS attacks.

I give an answer here about such issue: Is there any safe way to keep rest auth token on the client side for SPA?.

Hope it will give hints to your issue. Thierry