Security Features in AngularJs

  One of the major concerns with any new technologies is security. They might introduce security holes into an organization’s IT infrastructure. But if you are using AngualarJs then this concern isn’t very severe. Securing an AngularJS application is as simple as enforcing the good security practices for any web-application.
In this post I am going to take you through built in security features in AngularJs that you should keep in mind as you build your application. I will be also updating this post time to time whenever I got something new about Security in AngularJs.

So lets begin with AngularJS security features one by one.

 1. Expression Sandboxing

AngularJS’s expressions are sandboxed, this means AngularJs restricts the expression from evaluating unsafe expressions. These can attempt to access the Function constructor, window object, DOM element, global variables, or the Object constructor. With these restrictions, all an attacker can do is execute a mathematical function, call an already existing function of the application, or display and modify data from a scope variable. This limits the impact of an Angular injection. Although, the AngularJS documentation explicitly states that the sandbox’s purpose is to maintain a separation of application responsibilities. The sandbox isn’t available for the purpose of security. As a result, the AngularJS sandbox shouldn’t be considered a security boundary.

2. Cross Site Request Forgery (XSRF) Protection

Cross-site request forgery (XSRF or CSRF) is a method of attacking a Web site in which an intruder masquerades as a legitimate and trusted user, i.e. attacker can trick an authenticated user into unknowingly executing actions on website. Angular provides a mechanism to protect from XSRF. When performing XHR requests, the $http service reads a token from a cookie (by default, XSRF-TOKEN) and sets it as an HTTP header (X-XSRF-TOKEN). Since only JavaScript that runs on your domain could read the cookie, your server can be assured that the XHR came from JavaScript running on your domain. The header will not be set for cross-domain requests.

You can also implement this explicitly by writing AngularJs Interceptor. Interceptors are bassically build for authentication,global error handling,or any kind of synchronous or asynchronous pre-processing of request or postprocessing of responses. With the help AngularJs Interceptors you can intercept requests before they are handed to the server and responses before they are handed over to the application code that initiated these requests.
To take advantage of this you need to implement few things on your server side. Your server needs to set a token in a JavaScript readable session cookie called XSRF-TOKEN on the first HTTP GET request. On subsequent XHR requests the server can verify that the cookie matches X-XSRF-TOKEN HTTP header, and therefore be sure that only JavaScript running on your domain could have sent the request. The token must be unique for each user and must be verifiable by the server (to prevent the JavaScript from making up its own tokens). It is recommend that the token is a digest of your site’s authentication cookie with a salt for added security.

3. JSON Hijacking Protection

If you don’t know what is JSON Hijacking then please go through this link. JSON Hijacking can be prevented by server side prefixing all JSON requests with following string “)]}’,\n”. Now AngularJs will automatically strip the prefix before processing it as JSON.

Reference / Source : https://docs.angularjs.org/guide/security