I want this to be a more a general question and discussion thread. We are thinking about restructuring our application webpage and build it as a single page application. This has the advatage, that the webserver does not need any session handling any more, as well as the single page application (SPA) would just be another client to the backendless API.
Currently we are using many PHP scripts in the webpage and all requests to the backendless API are done in PHP. Also dynamic AJAX requests from the webpage are going to PHP scripts, which are then calling the backendless API.
My concerns about a single application is the security of the user-token. There is only the way to store it in the local/sessionStorage, as the Backendless JS SDK does. The advantage of the PHP session solution was, that the user-token is never forwarded to the browser and JS, so there were less XSS and CSRF problems.
Any ideas how to improve the security of a SPA? Any recommendations to build a secure SPA?