Security in Angular js

If you talk to the server via https, you don’t have a problem with replay attacks.

My suggestion would be to leverage your server’s security technology. For example, JavaEE has an out-of-the-box login mechanism, declarative role-based protection of resources (your REST endpoints) etc. These are all managed with a set of cookies and you don’t have to care about storage and expiration. Check out what your server/framework already gives you.

If you plan to expose your API to a broader audience (not specifically to the browser-based UI that you serve) or other types of clients (e.g. mobile app), consider adopting OAuth.

Off the top of my head, Angular has the following security features (will add more as they pop-out):

CSRF/XSRF attacks

Angular supports an out of the box mechanism for CSRF protection. Check out $http docs. Server-side support is needed.

Content Security Policy

Angular has a mode of expression evaluation that is compatible with more strict JavaScript runtimes that are enforced when CSP is enabled. Check out ng-csp docs.

Strict Contextual Escaping

Use Angular’s new $sce feature (1.2+) to harden you UI against XSS attacks etc. It’s a bit less convenient but more secure. Check out the docs here.