Angular Security Flashcards
Template Sanitization:
Angular automatically sanitizes user-provided inputs in templates to prevent Cross-Site Scripting (XSS) attacks. For example, consider the following template:
{{ user.name }}
If the user.name property contains potentially harmful HTML code, Angular automatically sanitizes it and renders it as plain text, preventing any script execution.
Cross-Site Scripting (XSS) Protection
Angular automatically escapes interpolated values and data bindings by default to prevent XSS attacks. For example, consider the following template:
{{ user.bio }}
If the user.bio property contains a script tag or any other HTML code, Angular escapes the characters and renders it as plain text, preventing script execution.
Content Security Policy (CSP) Support:
Angular allows you to enforce a strict Content Security Policy for your application. This helps protect against XSS attacks by defining the sources from which the application can load resources. For example, you can configure a CSP in the HTML header as follows:
<meta></meta>
This example restricts the loading of scripts to the same origin and a trusted CDN.
Authentication and Authorization:
Angular provides a flexible framework for implementing authentication and authorization mechanisms. You can leverage features like route guards, authentication services, and token-based authentication (e.g., JWT) to secure routes and control access to protected resources.
This guard checks if the user is authenticated and allows or denies access to the protected route accordingly.
Avoid risky Angular APIs
Avoid Angular APIs marked in the documentation as “Security Risk.” The most common risky API we use is ElementRef. It permits direct access to the DOM and can make your application more vulnerable to XSS attacks. Review any use of ElementRef in your code carefully. Use this API as a last resort when direct access to the DOM is needed. Use templating and data binding provided by Angular, instead. Alternatively, you can take a look at Renderer2, which provides an API that can safely be used even when direct access to native elements is not supported.
These are just a few examples of the security features provided by Angular. It’s important to implement additional security measures based on your application’s requirements, such as input validation, secure communication protocols (HTTPS), proper error handling, and regular security updates for dependencies and libraries used in the application.
What type of DOM does Angular implement?
DOM (Document Object Model) treats an XML or HTML document as a tree structure in which each node is an object representing a part of the document.
Angular uses the regular DOM. This updates the entire tree structure of HTML tags until it reaches the data to be updated. However, to ensure that the speed and performance are not affected, Angular implements Change Detection.
- What is Angular? Why was it introduced?
Angular was introduced to create Single Page applications. This framework brings structure and consistency to web applications and provides excellent scalability and maintainability.
Angular is an open-source, JavaScript framework wholly written in TypeScript. It uses HTML’s syntax to express your application’s components clearly.
