Things Developers Get Wrong About the Backend for Frontend Pattern
This title could be clearer and more informative.Try out Clickbait Shieldfor free (5 uses left this month).
Common misconceptions about the Backend for Frontend (BFF) pattern are addressed, focusing on security implications. Key points: PKCE and BFF solve different problems and are complementary, not alternatives — PKCE protects the authorization code in transit while BFF keeps tokens out of the browser entirely. A true BFF is a confidential OAuth client, not just a reverse proxy forwarding tokens. HttpOnly cookies are not less secure than localStorage tokens — they trade XSS-based token theft for a more constrained CSRF attack surface. BFF doesn't automatically handle CSRF protection, session invalidation, secure cookie configuration, or API authorization. Finally, teams don't need a full rewrite — BFF can be introduced incrementally as an authentication layer without changing existing backend APIs.
Table of contents
Why PKCE Isn't a Replacement for BFFBFF Is Not Just a ProxyNo, Cookies Are Not Less Secure Than TokensBFF Does Not Solve All Your Browser Auth Security ProblemsYou Don’t Need to Rewrite Your Entire ApplicationStart With the Threat ModelSort: