How does Angular handle XSS or CSRF?

angular typescript xss csrf
35,489

Solution 1

Angular2 provides built-in, enabled by default*, anti XSS and CSRF/XSRF protection.

The DomSanitizationService takes care of removing the dangerous bits in order to prevent an XSS attack.

The CookieXSRFStrategy class (within the XHRConnection class) takes care of preventing CSRF/XSRF attacks.

*Note that the CSRF/XSRF protection is enabled by default on the client but only works if the backend sets a cookie named XSRF-TOKEN with a random value when the user authenticates. For more information read up about the Cookie-to-Header Token pattern.

UPDATE: Official Angular2 security documentation: https://angular.io/docs/ts/latest/guide/security.html (Thanks to Martin Probst for the edit suggestion!).

Solution 2

For mentioned server side in Angular, the CSRF you might handle using Express:

app.use(express.csrf())
app.use(function (req, res, next) {
  res.cookie('XSRF-TOKEN', req.session._csrf);
  res.locals.csrftoken = req.session._csrf;
  next();
})

Not sure if with the new HttpClientXsrfModule it's still required though. It might be enough to add only the following (but need to be confirmed) on the client side in app.module:

HttpClientXsrfModule.withOptions({
  cookieName: 'XSRF-TOKEN',
  headerName: 'X-XSRF-TOKEN'
})
Share:
35,489

Related videos on Youtube

TheHeroOfTime
Author by

TheHeroOfTime

I like programming in different languages (C#, C++, Java, Python, etc.), but also playing video games in my free time.

Updated on July 30, 2022

Comments

  • TheHeroOfTime
    TheHeroOfTime over 1 year

    How does Angular (2) handle XSS and CSRF. Does it even handle these attacks? If so, what do I have to do to use this protection? If not, do I have to handle all these attacks in my server, or somehow with TypeScript in the frontend?

    I have read that you have to use "withCredentials: true", but I'm not quite sure where to put this code or if it is even that, what I'm looking for.

    In the https://angular.io/ webpage I didn't find anything about this (or I just missed it).

  • jmq
    jmq over 6 years
    Worth looking at that security guide as a whole, but also ref angular.io/guide/http#security-xsrf-protection specifically (which the security guide links to)
  • x-magix
    x-magix over 3 years
    perfect explanation

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

WARNING: sanitizing unsafe style value background-color
Angular 6 does not add X-XSRF-TOKEN header to http request
WARNING: sanitizing unsafe style value url
Adding an item to interface array list in Typescript
Angular 6 calling function after dialog close
Angular 6+ TypeError: Cannot read property 'firstName' of undefined
Reset Form in angular 5 after submit
Angular 5 disable a table row
How to filter data with select/dropdown using Angular 2?
Angular2 Wait DOM element to load