Sunday, December 2, 2018

Security in Angular


UP-TO-DATE ANGULAR LIBRARIES
AThe angular team is doing releases at regular intervals for feature enhancements, bug fixes and security patches as appropriate.

SANITIZATION AND SECURITY CONTEXTS

To systematically block XSS bugs, Angular treats all values as untrusted by default. When a value is inserted into the DOM from a template, via property, attribute, style, class binding, or interpolation, Angular sanitizes and escapes untrusted values.

THE DOM SANITIZATION SERVICE

The goal of the DomSanitizer is to clean untrusted parts of values.


HOW CAN WE DISABLE THE SANITIZATION LOGIC?

In specific situations, it might be necessary to disable sanitization. Users can bypass security by constructing a value with one of the bypassSecurityTrustX methods, and then binding to that value from the template.

CONTENT SECURITY POLICY (CSP)

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. 
To enable CSP, configure your web server to return an appropriate Content-Security-Policy HTTP header. 


USE THE OFFLINE TEMPLATE COMPILER (AKA AOT-COMPILER)

Angular templates are the same as executable code: HTML, attributes, and binding expressions (but not the values bound) in templates are trusted to be safe. This means that if an attacker can control a value that is being parsed by the template we have a security leak. Never generate template source code by concatenating user input and templates. To prevent these vulnerabilities, use the offline template compiler, also known as template injection.

AVOID DIRECT USE OF THE DOM APIS

The built-in browser DOM APIs don’t automatically protect you from security vulnerabilities. For example, document, the node available through ElementRef, and many third-party APIs contain unsafe methods. Avoid interacting with the DOM directly and instead use Angular templateswhere possible.



SERVER-SIDE XSS PROTECTION

Injecting template code into an Angular application is the same as injecting executable code into the application. So, validate all data on server-side code and escape appropriately to prevent XSS vulnerabilities on the server. Also, Angular recommends not to generate Angular templates on the server side using a templating language.

CROSS-SITE REQUEST FORGERY (XSRF)

Cross-site request forgery (also known as one-click attack or session riding) is abbreviated as CSRF or XSRF. It is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.
In a common anti-XSRF technique, the application server sends a randomly generated authentication token in a cookie. The client code reads the cookie and adds a custom request header with the token in all subsequent requests. The server compares the received cookie value to the request header value and rejects the request if the values are missing or don’t match.
https://ordina-jworks.github.io/angular/2018/03/30/angular-security-best-practices.html

No comments:

Followers

Link