Hi Saktivel,
I think it is very important:
- Avoid hardcode of user & passwords on service call in JS code. Avoid store user & password cookies in mobile scenarios. Use single sign on or logon token mechanisms (with a validity period) in order to store a user cookie. When token expires, your app must ask for logon credentials again.
- User https to encode transport data.
- If you use cookies or local browser database, try to store non unsafe data like employee personal data or similar. If you need to store this, encode it.
- Don't publish your services without credentials (public).
- Don't publish your backend without Web Proxy in front to the Internet. You could expose your backend to DoS denial of service attacks for example. It is better your web proxy fall instead your backend
Cheers