Self-service flows: Understanding security warning on documentation

[bastiW]

Hi

on the Kratos Self-service documentation site there is written the following

WARNING
Never use API flows to implement Browser applications! Using API flows in Single-Page-Apps as well as server-side apps opens up several potential attack vectors, including Login and other CSRF attacks.

I don't get this warning on this page, because on the same page there are explanations for browser apps like

• PHP / Node / Java https://www.ory.sh/docs/kratos/self-service#browser-flows-for-server-side-apps-nodejs-php-java-
• SPA, React, Next, Angular https://www.ory.sh/docs/kratos/self-service#browser-flows-for-client-side-apps-single-page-apps-reactjs-angular-nextjs-

What is now correct?

a) Never use API Self Service flows within browsers (I think that a react spa, next or PHP is a browser application)
b) I can implement the self service into my Next.JS or React SPA

[kmherrmann]

The docs distinguish between API-based flows and Browser-based flows. The Guides are specifically for browser flows, and actually consistent with the warning: Don't use the flows where API interaction is required (mobile app, Smart TV, ...) in a web browser.

"All Self-Service Flows (User Login, User Registration, Profile Management, Account Recovery, Email or Phone verification) support these two flow types and use the same data models but do use different API endpoints."