AngularJS Security : why we are covering security in a book on AngularJS

Categories: Angular Angular JS

AngularJS Security : why we are covering security in a book on AngularJS

 

You might wonder why we are covering security in a book on AngularJS. Well, quite simply, security is one of the most important and most challenging tasks faced by an AngularJS developer. It’s not that the developer is actually responsible for implementing the security layer — that is not the case at all — but it is very important for an AngularJS developer to understand the role that AngularJS plays in the overall security model of an application or website.

You should never attempt to implement an independent client-side security layer in an AngularJS application, or any other JavaScript application for that matter. Security should always be implemented on the backend services where the data resides. That is the only safe place to implement a security layer.

Remember the user has full access to the JavaScript running in the browser. As I said before, our AngularJS application runs in the user’s browser on the user’s hardware. The user can save the JavaScript locally and easily make modifications circumventing any security layer implemented by an unsuspecting JavaScript developer.

With that in mind, there are several rules that AngularJS developers and backend developers need to remember. Although actually implementing the security layer is not usually the job of an AngularJS developer, it is often a collaborative effort for all developers involved in a project. The following rules should always be considered:

1. Always use SSL to communicate with REST services that contain private data (HTTPS).

2. Always use some type of authentication on each REST service call that contains private data (Basic Authentication, for example).

3. Never hold REST service authentication status in a session variable on the server. Doing that opens your server-side application up to cross-origin attacks and other serious security concerns.

4. Never implement a Cross-Origin Resource Sharing (CORS) layer that returns * as the list of allowed domains. For example, (Access-Control-Allow-Origin: *)

would allow all domains to make cross-origin calls to the REST services on the site. Doing that circumvents the browser’s CORS security implementation completely. 

5. Always make sure that any JavaScript that may get injected inside a JSON property

does not get executed on the server-side. This design flaw is at the core of the NoSQL injection attack, where JavaScript functions are injected in the JSON request of a service and unknowingly executed by the server, in order to breach the security of a NoSQL database.

 

Always remember that any security-related JavaScript code can be viewed and modified by the user. While most modern browsers do offer built-in security, JavaScript developers should never rely on the browser for security. The responsibility for security rests entirely on the shoulders of the backend service developers. With that said, I will show some techniques for developing AngularJS applications that work well with a security layer implemented properly in the backend services.

Top Blogs
Angular and Node JS difference Published at:- The top 5 new features of Angular did you know Published at:- Introduction to AngularJS Published at:- Single-Page Applications and Bootstrapping the Application in Angular JS Published at:- Dependency Injection and AngularJS Routes Published at:- AngularJS Templates, Views, Models, Controllers Published at:- Integrating AngularJS with Other Frameworks Published at:- Testing AngularJS Applications in the IDE Published at:- End-to-End Testing with Protractor Published at:- AngularJS Views and Bootstrap Published at:- Adding a New Blog Controller Published at:- Adding a New Blog Template In Angular JS Published at:- Ways to Communicate with REST Services Published at:- Services and Business Logic and Handling User Authentication in Angular JS Published at:- Using Basic Authentication, Creating AngularJS Services, Holding User Credentials in Angular JS Published at:- AngularJS Security : why we are covering security in a book on AngularJS Published at:- MEAN Cloud and Mobile, Local Deployment and Installing Node.js, npm, and MongoDB in Angular Published at:- Angular 4 Questions - Angular 4 Quiz (MCQ) Published at:- AngularJS MCQ Quiz Questions with Answer Part 2 Published at:- AngularJS MCQ Quiz Questions with Answer Published at:- AngularJS MCQ Quiz Questions with Answer Published at:- Angular Interview Question Set 1 Published at:- Angular Interview Question Set 2 Published at:- Angular Interview Question Set 3 Published at:- Angular Interview Question Set 4 Published at:- Angular Interview Question Set 5 Published at:- Angular Interview Question Set 7 Published at:- Angular Interview Question Set 8 Published at:- Angular Interview Question Set 9 Published at:- Angular Interview Question Set 10 Published at:- Angular Interview Question Set 11 Published at:- Angular Interview Question Set 11 Published at:- Angular Interview Question Set 12 Published at:- Angular Interview Question Set 13 Published at:- Angular Interview Question Set 14 Published at:- Angular Interview Question Set 15 Published at:- React versus Angular What Would it be advisable for You Pick Published at:- 9 Advantages of Angular you really want to be aware if you have any desire to assemble Computerized Items Published at:- Compromises Between The Great And Terrible Sides Of Angular Development Published at:- Top 20 Angular 10 Inquiries Questions and Answer Published at:- 9 Advantages of Angular you want to be aware to assemble Advanced Items Published at:- Top 5 Elements Angular Favored Decision for Web Improvement Published at:-
R4R.co.in Team
The content on R4R is created by expert teams.