AngularJS Security : why we are covering security in a book on AngularJS
Categories: Angular Angular JS
AngularJS Security : why we are covering security in a book on AngularJS
You might wonder why we are covering security in a book on AngularJS. Well, quite simply, security is one of the most important and most challenging tasks faced by an AngularJS developer. It’s not that the developer is actually responsible for implementing the security layer — that is not the case at all — but it is very important for an AngularJS developer to understand the role that AngularJS plays in the overall security model of an application or website.
You should never attempt to implement an independent client-side security layer in an AngularJS application, or any other JavaScript application for that matter. Security should always be implemented on the backend services where the data resides. That is the only safe place to implement a security layer.
Remember the user has full access to the JavaScript running in the browser. As I said before, our AngularJS application runs in the user’s browser on the user’s hardware. The user can save the JavaScript locally and easily make modifications circumventing any security layer implemented by an unsuspecting JavaScript developer.
With that in mind, there are several rules that AngularJS developers and backend developers need to remember. Although actually implementing the security layer is not usually the job of an AngularJS developer, it is often a collaborative effort for all developers involved in a project. The following rules should always be considered:
1. Always use SSL to communicate with REST services that contain private data (HTTPS).
2. Always use some type of authentication on each REST service call that contains private data (Basic Authentication, for example).
3. Never hold REST service authentication status in a session variable on the server. Doing that opens your server-side application up to cross-origin attacks and other serious security concerns.
4. Never implement a Cross-Origin Resource Sharing (CORS) layer that returns * as the list of allowed domains. For example, (Access-Control-Allow-Origin: *)
would allow all domains to make cross-origin calls to the REST services on the site. Doing that circumvents the browser’s CORS security implementation completely.
5. Always make sure that any JavaScript that may get injected inside a JSON property
does not get executed on the server-side. This design flaw is at the core of the NoSQL injection attack, where JavaScript functions are injected in the JSON request of a service and unknowingly executed by the server, in order to breach the security of a NoSQL database.
Always remember that any security-related JavaScript code can be viewed and modified by the user. While most modern browsers do offer built-in security, JavaScript developers should never rely on the browser for security. The responsibility for security rests entirely on the shoulders of the backend service developers. With that said, I will show some techniques for developing AngularJS applications that work well with a security layer implemented properly in the backend services.