Angular Security Checklist

Bartosz Pietrucha - Jan 23 '20 - - Dev Community

While developing Angular applications we need to pay strong attention to security aspects to prevent, simply speaking from being hacked!

There are many ways we may put our application users in danger and they might be victims of attacks like Cross-site scripting (XSS) or Cross-site request forgery (CSRF). Here is a list of the essential checks you have to perform to raise the level of security of your applications.

👉 Use HttpOnly and Secure cookies,
👉 Sign the cookies and tokens (like JWT) with a strong secret,
👉 Do not store sensitive data in JWT payload,
👉 Ensure your JWT library does not accept alg: none,
👉 Transport all data over HTTPS,
👉 Use Content Security Policy ver. 2,
👉 Do not allow inline scripts (no unsafe-inline),
👉 Use integrity property of all external scripts,
👉 Avoid Angular's bypassSecurityTrust*() methods,
👉 Use CSRF protection with CSRF-Token,
👉 Avoid custom auth library implementation,
👉 Check all API endpoints for role-based authorization,
👉 Use AoT compilation for template checks.

Here you can get a free printable checklist:
Angular Security Checklist PDF

Let me know in the comments if you are aware of all the checks and I will be creating more content covering these aspects!

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .