Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How does Angular handle XSS or CSRF?

Tags:

How does Angular (2) handle XSS and CSRF. Does it even handle these attacks? If so, what do I have to do to use this protection? If not, do I have to handle all these attacks in my server, or somehow with TypeScript in the frontend?

I have read that you have to use "withCredentials: true", but I'm not quite sure where to put this code or if it is even that, what I'm looking for.

In the https://angular.io/ webpage I didn't find anything about this (or I just missed it).

like image 772
TheHeroOfTime Avatar asked Apr 13 '16 09:04

TheHeroOfTime

People also ask

How does Angular handle XSS attacks?

To systematically block XSS bugs, Angular treats all values as untrusted by default. When a value is inserted into the DOM from a template binding, or interpolation, Angular sanitizes and escapes untrusted values.

Does Angular have built in CSRF protection?

If your application uses Angular, CSRF protection comes built-in. Angular is a front-end framework that uses TypeScript. It became popular in enterprise applications where consistent design pattern is crucial to productive development. Paired with a back-end framework, Angular provides built-in CSRF protection.

Is XSS possible in Angular?

Another instance where XSS attacks can happen in Angular is when you use native web APIs to directly access the DOM elements. In this case, you might use ElementRef to access a DOM element in your application as shown below.

2 Answers

Angular2 provides built-in, enabled by default*, anti XSS and CSRF/XSRF protection.

The DomSanitizationService takes care of removing the dangerous bits in order to prevent an XSS attack.

The CookieXSRFStrategy class (within the XHRConnection class) takes care of preventing CSRF/XSRF attacks.

*Note that the CSRF/XSRF protection is enabled by default on the client but only works if the backend sets a cookie named XSRF-TOKEN with a random value when the user authenticates. For more information read up about the Cookie-to-Header Token pattern.

UPDATE: Official Angular2 security documentation: https://angular.io/docs/ts/latest/guide/security.html (Thanks to Martin Probst for the edit suggestion!).

like image 154
Daniel Gartmann Avatar answered Nov 20 '22 17:11

Daniel Gartmann

For mentioned server side in Angular, the CSRF you might handle using Express:

app.use(express.csrf()) app.use(function (req, res, next) {   res.cookie('XSRF-TOKEN', req.session._csrf);   res.locals.csrftoken = req.session._csrf;   next(); })

Not sure if with the new HttpClientXsrfModule it's still required though. It might be enough to add only the following (but need to be confirmed) on the client side in app.module:

HttpClientXsrfModule.withOptions({   cookieName: 'XSRF-TOKEN',   headerName: 'X-XSRF-TOKEN' })
like image 29
Daniel Danielecki Avatar answered Nov 20 '22 15:11

Daniel Danielecki
Sign in to Comment

Related questions

MongoDB: Server has startup warnings [duplicate]
What is the difference between these 3 ways of declaring a string in Rust?
What is diffrence between lock() and expired()? weak_ptr C++
Can't use Stripe in iOS Apps?
Pod in pending state due to Insufficient CPU
SQL query to determine if a JSON value contains a specified attribute
How do I compile my TypeScript code for Node.js to one file?
Why is (18446744073709551615 == -1) true?
What happens when JavaScript variable name and function name is the same?
Skip system checks on Django server in DEBUG mode in Pycharm
Fastest way to insert 100,000+ records into DocumentDB
How to access a return value from a node script in BASH?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!