Security in Angular js

If you talk to the server via https, you don’t have a problem with replay attacks.

My suggestion would be to leverage your server’s security technology. For example, JavaEE has an out-of-the-box login mechanism, declarative role-based protection of resources (your REST endpoints) etc. These are all managed with a set of cookies and you don’t have to care about storage and expiration. Check out what your server/framework already gives you.

If you plan to expose your API to a broader audience (not specifically to the browser-based UI that you serve) or other types of clients (e.g. mobile app), consider adopting OAuth.

Off the top of my head, Angular has the following security features (will add more as they pop-out):

CSRF/XSRF attacks

Angular supports an out of the box mechanism for CSRF protection. Check out $http docs. Server-side support is needed.

Content Security Policy

Angular has a mode of expression evaluation that is compatible with more strict JavaScript runtimes that are enforced when CSP is enabled. Check out ng-csp docs.

Strict Contextual Escaping

Use Angular’s new $sce feature (1.2+) to harden you UI against XSS attacks etc. It’s a bit less convenient but more secure. Check out the docs here.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s