The Dark Side of Microfrontends: Isolated Apps, Shared Breaches

Neelesh RoyNeelesh Roy
4 min read

TL;DR

RiskWhy It MattersMitigation
Shared Global ScopeOne XSS = all apps exposedNo window state, strict scoping
Token LeakageSession hijackUse secure cookies, avoid localStorage
Inconsistent HeadersWeakest link attackEnforce CSP & headers per MF
Untrusted 3rd PartiesExfiltration & privilege escalationSandbox, audit dependencies
Cross-MF CommunicationHijack potentialValidate all postMessage traffic

Introduction

Microfrontends have become the poster child of frontend scalability. They promise agility, team autonomy, and faster deployments. But as with all architectures, abstraction can hide risk. And when it comes to security, microfrontends don’t isolate you as well as you think.

This post explores the hidden security risks of microfrontend architectures, based on real-world design patterns, attack vectors, and lessons from large-scale deployments.

Quick Recap: What Are Microfrontends?

Microfrontends split a large frontend monolith into smaller, independently deployable apps—each owned by a separate team. Think of them as the frontend equivalent of microservices.

  • Independent apps (login, dashboard, payments) loaded dynamically

  • Shared via iframes, Web Components, module federation, or runtime composition

  • Usually orchestrated by a shell or layout service

Sounds good? Sure. But here’s the problem.

The False Sense of Security

Microfrontends give the illusion of isolation, but security boundaries don’t exist by default.

Unless you explicitly enforce sandboxing (e.g. iframes with proper sandbox attributes), these micro-apps share the same browser runtime, global scope, and even localStorage.

Which leads to...

Real Attack Surfaces in Micro-frontend Architectures

Shared Global Scope: One Breach, All Breached

In common setups using module federation or runtime composition:

window.currentUser = { id: 42, role: 'admin' }; // accessible globally

Any loaded micro-frontend, including third-party ones, can:

  1. Read this data

  2. Modify it

  3. Leak the data

One malicious micro-app or XSS = breach across all modules.

Cross-MF XSS Injection

Imagine your Marketing team’s microfrontend loads a 3rd-party script or has unescaped user-generated content:

<div dangerouslySetInnerHTML={{ __html: comment }} />

If compromised:

  • The injected script can steal auth tokens stored in localStorage

  • Interact with other MFs via DOM or global context

  • Hijack navigation, form submissions, even inject fake UIs

Session & Token Leakage

In a typical auth flow:

  • Token is stored in localStorage or window.sessionStorage

  • Shared across MFs via some context or token service

Without strict isolation, a vulnerable or rogue MF:

  • Reads the token and exfiltrates it

  • Uses it to perform CSRF on protected endpoints

  • Escalates privileges if session scopes are misconfigured

Inconsistent CSP & Security Headers

Each microfrontend might:

  • Be deployed on a separate domain or CDN

  • Serve its own headers (or none)

This creates a patchwork of policies:

  • One MF may allow unsafe-inline scripts

  • Another may not have X-Frame-Options

  • Result? Attackers will target the weakest link

Iframe Isolation ≠ Immunity

Using iframe composition?

  • Great for isolation only if sandbox, allow-scripts, and CSP headers are tightly configured

  • But even iframes can be exploited:

    • Clickjacking

    • PostMessage hijacking

    • DOM-based phishing UIs mimicking the host shell

Security Guidelines for Microfrontends

Here’s how to avoid turning your MF system into a house of cards:

1. Enforce Strong CSP & Per-App Security Headers

  • No unsafe-inline

  • Strict frame-ancestors, default-src, script-src

  • Consistent policies across all apps

2. Isolate Microfrontends by Default

  • Use sandboxed iframes or Web Workers where possible

  • Avoid global window pollution

  • Pass data via scoped props or messages only

3. Never Share Sensitive State via Globals

  • Use encrypted, scoped tokens

  • Leverage secure cookies (HttpOnly, SameSite)

  • Consider a secure, shared auth service with clear boundaries

4. Harden Inter-App Communication

  • Use postMessage with strict origin validation

  • Validate message schemas

  • Don’t expose functions globally

5. Perform Threat Modeling Per MF

  • Treat each MF as untrusted

  • Audit them individually and as a system

  • Assume breach: implement defense in depth

Final Thoughts

Microfrontends are powerful—but security must be a first-class citizen, not an afterthought.

In a world where frontend is backend, and where user sessions drive business logic, you cannot afford to let your system fall victim to internal oversights.

Isolation in architecture does not mean isolation in execution.

Adopt microfrontends, but do it with paranoia and precision.

6
Subscribe to my newsletter

Read articles from Neelesh Roy directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Neelesh Roy
Neelesh Roy

Neelesh is a Senior Frontend Engineer in the insurance technology industry. He specializes in building responsive, reliable, and user-friendly web applications. With years of experience in modern JavaScript frameworks, he cares deeply about clean code, performance, and good user experience. Neelesh enjoys solving complex business problems with simple, practical solutions. He often works closely with designers and backend teams to bring ideas to life. Outside of work, he likes to stay updated with the latest in web development and technology trends.