Best practices for SPA?

Hi there,

We recommend deploying your SPA as a static asset on AWS S3 + CloudFront (i.e. using AWS for static website hosting). Most SPA frameworks should support this out of the box or via a plugin, and this should be pretty inexpensive (i.e. in the $0-$10 range). There’s also a lot of content on the internet you can find regarding this approach.

Your API should then be hosted on a separate domain. For example, you’ll serve your SPA at www.example.com, and run your API at api.example.com. You’ll indeed need to enable CORS to make this work. To do so, you need to configure your API to send a few headers to indicate it allows requests from your SPA. Most application frameworks have middleware that can be used to set up CORS, so I’d recommend googling for “whatever framework you’re using CORS”.

That being said, setting up CORS is really just about serving a few headers with your HTTP response. You’ll typically need at least those:

Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: OPTIONS, PATCH, GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Authorization, Content-Type
Access-Control-Allow-Origin: https://$YOUR_DOMAIN

CORS might seem like added complexity here, but in our experience this will turn out to be less work than configuring Nginx properly to act as a reverse proxy (not to mention the reduced operations overhead).

From a compliance perspective, your SPA does not handle PHI (more details here): it’s just a static website serving code for your app. The actual PHI is served by your API server. That being said, as indicated in the link, your SPA is still part of your security program (but that would be the case regardless of how you deploy this).

Finally, note that:

  • What I’m describing is exactly how Aptible itself is set up. dashboard.aptible.com is a SPA served by S3 + Cloudfront, that talks to e.g. api.aptible.com, auth.aptible.com.
  • You may not need a BAA with AWS if all you’re storing in S3 is your SPA. However, you might want to consider executing a BAA with AWS anyway to be able to use it for PHI. Note that you do not need to pay the dedicated instance fee to use S3 for PHI.

Disclaimer: this isn’t legal advice / I’m not a lawyer.