Does CSP apply to React Native? - react-native

Does Content Security Policy apply to React Native?
It looks like JavaScript is still processed at runtime.
UPDATED:
Would CSP header make a React Native application more secure?

Yes.
Apply CSP by configuring the Content-Security-Policy header in your app's HTTP response, an example can be found here.
Note that CSP is only enforced by modern web browsers and may not be supported by all browsers or platforms.

Yes, Content Security Policy (CSP) can be applied to React Native applications. CSP is a security feature that helps prevent cross-site scripting (XSS) and other code injection attacks by specifying which sources of content are allowed to be loaded by a web page or application. React Native applications, like other web applications, can benefit from the use of CSP to help prevent security vulnerabilities.
Implementing CSP in a React Native application typically involves adding a "Content-Security-Policy" header to HTTP responses served by the server. The header value specifies the policy for the application, including which sources of content are allowed to be loaded. In React Native, you can add the header by configuring the server that serves the application, or by using a third-party library such as react-native-csp.

Related

Can I use NextJs API routes to handle both web and mobile app?

I want to create web app in Nextjs and in the future mobile app in React Native. But I am confused what api to use. Do you think that the Nextjs api can handle both web and mobile apps? Is this possible and is it good idea at all? Should I use PHP backend for that? Thank you very much.
With the assumption that you are talking about API Routes :
I would ask you that you think through the scale of your web and app. If this is a simple web/app that you do not expect to grow much - The NextJS API which is similar to standing up an nodejs express server is not a bad option.
Remember a few considerations when designing this API
You may have to distinguish the request origin (web/app)
CORS may have to be customized - Next exposes this
You could set an app specific route to ensure isolation or use headers to distinguish behavior if your application bifurcates in the future.
These concerns are shared even if you made a PHP, ExpresJS or any other API middleware.
Once you are past all this, i would ask you to consider
Using a GraphQL server like Apollo that works nicely with Next and is custom built for this purpose..
Evaluating API Gateways for security and scale.
You don't use any external tools at all.
Next JS has serverless model. So, you don't need to mess with BE.
You can create a number of API routes you want. in /pages/api folder. You can even split like /pages/api/desktop and
/pages/api/mobile folders.
You connect your database (MongDB, sql etc) via /middleware/your_file.js. Here is example for MongoDB
If you like, you can even add some security (ex: Auth0, next-auth
etc) to secure your API routes created in /pages/api folder. Example for Auth0
After, you can access you data througth API calls. Very good!

Electron as a local API server responding to http requests?

I have a an electron app that renders a visualization. I need to have a different local application send an http request with parameters to my electron app which will then return a png or svg image based on the parameters. Can electron respond to external http API requests out of the box or do I need to integrate an express server within my app that will allow this? Having trouble finding documentation about this.
Electron does not have any built in modules for creating HTTP APIs.
However, both Electron processes (the main process as well as renderer processes) are Node processes, which means you have access to all Node APIs, including http - so you can build servers just as you would with Node. express would certainly make it easier.

Next.js API is back-end?

I know Next.js is front-end but when i used API of next.js it can response and can manage route or anything about back-end can do.
Then i want to know "Next.js api is back-end ?"
Yes. Next.js is a pre-rendered React app in the client-side that users can view and interact with and can be considered as front-end. At the same time, it also does server-side rendering and API routes which can perform server-side code and access data in the database and can be considered as back-end.
Next.js > v13 uses two folders app or api for Dynamic Routing. Store React components in app for client-side or server rendered components. The backend functions or server-side of Next.js is with the api folder. The api JavaScript code is not executed in the browser but with Node.js so this is not safe for static page generation. When Next.js is hosted in the cloud with Vercel then your server-side or serverless JS will render, but on Netlify or other static hosts the api folder will be ignored or throw errors. It's like running Express.js code in the browser the JIT rendered will fail
Next.js v13 transitioned React folders from pages to app and currently supports both folders. Before v13 the React client code was stored in pages only.
Next.js api provides REST API. We are sending requests internally to our next.api routes. With this you can add business logic in your next.js project without writing any additional custom server code and without configuring any api routes. In node.js app, we need to separete api code into controllers and routes, then register each route in express app, then you need to make sure that you registered the routes in correct order.
The only drawback as of now, vercel does not support websocket connections. So you cannot have realtime services. But you can kinda make it almost realtime with SWR. More on SWR Basically, with swr, you tell next.js to fetch data periodically, keep the response in cache and serve it.
With this feature, Next.js provides everything to build a full-stack application. So next.js also simplifies the backend for us.
Yes. Next js is framework of React js. you can use it both like- frontend and backend. Thanks.
I come from the asp.net world and am slowly, enjoying, learning javascript development. It does clash with me though when people describe something like Next.js, which I'm enjoying learning, as a backend.
To me it is more conceptually like an asp.net server-side frontend (Webforms, MVC, Razor Pages) etc. It seems its main concern is producing reactive frontend UI. Just because some of the frontend functionality runs/processed on server does NOT make it a backend AT ALL.
What about the fact it has api endpoints?
Well to me, a web api is only a means of enabling a frontend to talk to a backend across a network, the internet in this case. For me an api handles only very limited concerns; provides the endpoints, handles de/serialisation, talks http to the caller and that's kind of it, thin and dumb.
The backend doesn't really start till you get to your App layer and then the architectural fun can start, Application orchestration, Domain logic, dependency inverted data access layer etc. etc. all the things that talk to the complexity of designing robust software.
So much talk seems to be focused on where bits sit, is it on the client, is it on the server and less about the concern of what goes where.
I thing Next.js is an excellent server-side, frontend framework but whatever your onward stack into the backend, it's not a backend!
Your Question: "Then i want to know "Next.js api is back-end ?""
Simple Answer: It depends
For any technology to be a backend it must fulfill its minimum criteria to identify itself as a backend.
If you don't use NextJS features and use it as a frontend, it behaves as a frontend.
But you can use it as a backend if you want to use that way.

How can I setup sign in as Google account on a react native + asp core web api and Identity server as middleware

How can I configure my mobile app project to sign in using external providers (Google). I am using react native + web api core. Most examples using google sign in is using ASP.Net Web application not web Api. I am using also Identity server as middleware
IDS4 still requires a serverside UI (although you could in theory use whatever client side framework you wish) so to keep things simple I'd wire the Google sign into your existing sign in UI flow.
For a native app it's strongly recommended that you use the authorization code flow with PKCE and use ASWebAuthenticationSession or custom tabs for iOS and Android respectively.

Use Wepack for Client only in strongloop-loopback

I want to use webpack bundling for only client part of Strongloop Loopback project (I want to use vueJs in client or frontend). I've been looking at loopback-webpack-plugin. As there is no proper documentation for it, I am unable to use in way I wanted.
Thanks in advance.
Since you are going to write your client in VueJS, the configuration of your build process for the client is going to be pretty much independent of LoopBack. Please look for resources on how to configure Webpack for VueJS.
There is one part relevant to LoopBack though: how to serve you VueJS front-end files from a LoopBack application. In a typical LoopBack project scaffolded via lb, the client (front-end) assets created by Webpack should be placed in the client directory. See Adding a static web page in LoopBack's documentation to learn how to expose the content of the client directory as a web application.