ASVS Requirement 10.1.1

• Level: 2
• Chapter: V10 OAuth and OIDC
• Section: V10.1 Generic OAuth and OIDC Security
• Source: 0x19-V10-OAuth-and-OIDC.md

Description

Verify that tokens are only sent to components that strictly need them. For example, when using a backend-for-frontend pattern for browser-based JavaScript applications, access and refresh tokens shall only be accessible for the backend.