Uploaded byChathuranga Bandara
Is your app secure
- The document discusses best practices for securing an Angular application including using the latest version of Angular, preventing XSS and XSRF attacks, avoiding direct DOM manipulations, using ahead-of-time compilation for faster rendering and better security, and never using Angular templating from the server side. - It explains that Angular sanitizes and escapes untrusted values by default to prevent XSS and that the HttpClient has support for cookie-based XSRF protection. - Macaroons are also mentioned as a way to implement decentralized authorization across multiple languages.
More Related Content
Is your app secure
- 1. Is Your AppSecure Chathur anga Bandar a
- 2. Who TF isthis? • Engineer by profession, Husband and a Father by decision • Love Python • Love and hate JavaScript • Have 8 odd years of experience doing some coding and shit • Like CnH2n+1OH, Gin to be specific
- 4.
- 5.
- 6. Use Latest AngularPossible
- 7.
- 8.
- 9. “enables an attackertoinject client-side script into web pages viewed by other users”
- 12.
- 13. Angular is aGood Guy..
- 14. Rather Like anoverprotective Girl/Boy Friend
- 15. “Angular treats allvalues as untrusted bydefault. When a value is insertedinto the DOM froma template, via property, attribute, style and class binding, orinterpolation, Angular sanitizes and escapes untrusted values.”
- 17. unsafe value usedina resource URL context.
- 18.
- 19. Makesure you sanitizeafter!
- 22.
- 25.
- 26. “You can compiletheapp in the browser, at runtime, as the application loads, usingthe just-in-time (JIT) compiler. This is the standard development approach shownthroughout the documentation. It's great but it has shortcomings.”
- 27. “With AOT, thecompiler runs onceat build time using oneset of libraries; with JIT it runs every time forevery user at runtime using a different set of libraries.”
- 28. Faster Rendering FewerAsync Requests SmallerAngular frameworkdownload Detect Template Errors earlier Better Security
- 29. Never use AngularTemplating fromServer side
- 30.
- 31. “Cross-Site Request Forgery(CSRF)is an attack that forcesan end user to executeunwanted actions ona web application in whichthey're currentlyauthenticated.”
- 32. To prevent this,the application must ensure that a user request originates fromthe real application
- 33. Angular's HttpClient hasbuilt-in support for theclient-side half ofthis technique.
- 34.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41.
Editor's Notes
- #2 Good evening everyone. In this session I’m going to talk about Angular-CLI. Which is the Command Line Interface for Angular 2 development
- #18 Angular throwing this error because the <iframe src> attribute is a resource URL security context, because an untrusted source can, for example, smuggle in file downloads that unsuspecting users could execute.
- #29 Faster rendering With AOT, the browser downloads a pre-compiled version of the application. The browser loads executable code so it can render the application immediately, without waiting to compile the app first. Fewer asynchronous requests The compiler inlines external HTML templates and CSS style sheets within the application JavaScript, eliminating separate ajax requests for those source files. Smaller Angular framework download size There's no need to download the Angular compiler if the app is already compiled. The compiler is roughly half of Angular itself, so omitting it dramatically reduces the application payload. Detect template errors earlier The AOT compiler detects and reports template binding errors during the build step before users can see them. Better security AOT compiles HTML templates and components into JavaScript files long before they are served to the client. With no templates to read and no risky client-side HTML or JavaScript evaluation, there are fewer opportunities for injection attacks.
- #32 CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request