Is your app secure
1 like102 views
- The document discusses best practices for securing an Angular application including using the latest version of Angular, preventing XSS and XSRF attacks, avoiding direct DOM manipulations, using ahead-of-time compilation for faster rendering and better security, and never using Angular templating from the server side. - It explains that Angular sanitizes and escapes untrusted values by default to prevent XSS and that the HttpClient has support for cookie-based XSRF protection. - Macaroons are also mentioned as a way to implement decentralized authorization across multiple languages.
Is your app secure
- 1. Is Your App Secure Chathur anga Bandar a
- 2. Who TF is this? • Engineer by profession, Husband and a Father by decision • Love Python • Love and hate JavaScript • Have 8 odd years of experience doing some coding and shit • Like CnH2n+1OH, Gin to be specific
- 6. Use Latest Angular Possible
- 7. XSS | XSRF
- 8. XSS?
- 9. “enables an attacker toinject client-side script into web pages viewed by other users”
- 12. How toPrevent?
- 13. Angular is a Good Guy..
- 14. Rather Like an overprotective Girl/Boy Friend
- 15. “Angular treats all values as untrusted bydefault. When a value is insertedinto the DOM froma template, via property, attribute, style and class binding, orinterpolation, Angular sanitizes and escapes untrusted values.”
- 17. unsafe value usedin a resource URL context.
- 18. Bypassing?
- 19. Makesure you sanitize after!
- 26. “You can compilethe app in the browser, at runtime, as the application loads, usingthe just-in-time (JIT) compiler. This is the standard development approach shownthroughout the documentation. It's great but it has shortcomings.”
- 27. “With AOT, the compiler runs onceat build time using oneset of libraries; with JIT it runs every time forevery user at runtime using a different set of libraries.”
- 28. Faster Rendering FewerAsync Requests Smaller Angular frameworkdownload Detect Template Errors earlier Better Security
- 29. Never use Angular Templating fromServer side
- 30. XSRF??
- 31. “Cross-Site Request Forgery(CSRF) is an attack that forcesan end user to executeunwanted actions ona web application in whichthey're currentlyauthenticated.”
- 32. To prevent this, the application must ensure that a user request originates fromthe real application
- 33. Angular's HttpClient has built-in support for theclient-side half ofthis technique.
- 36. Macaroons
- 38. js-macaroon
- 41. Thank you
Editor's Notes
- #2: Good evening everyone. In this session I’m going to talk about Angular-CLI. Which is the Command Line Interface for Angular 2 development
- #18: Angular throwing this error because the <iframe src> attribute is a resource URL security context, because an untrusted source can, for example, smuggle in file downloads that unsuspecting users could execute.
- #29: Faster rendering With AOT, the browser downloads a pre-compiled version of the application. The browser loads executable code so it can render the application immediately, without waiting to compile the app first. Fewer asynchronous requests The compiler inlines external HTML templates and CSS style sheets within the application JavaScript, eliminating separate ajax requests for those source files. Smaller Angular framework download size There's no need to download the Angular compiler if the app is already compiled. The compiler is roughly half of Angular itself, so omitting it dramatically reduces the application payload. Detect template errors earlier The AOT compiler detects and reports template binding errors during the build step before users can see them. Better security AOT compiles HTML templates and components into JavaScript files long before they are served to the client. With no templates to read and no risky client-side HTML or JavaScript evaluation, there are fewer opportunities for injection attacks.
- #32: CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request