How does Angular handle XSS or CSRF?
How does Angular (2) handle XSS and CSRF. Does it even handle these attacks? If so, what do I have to do to use this protection? If not, do I have to handle all these attac
-
For mentioned server side in Angular, the CSRF you might handle using Express:
app.use(express.csrf()) app.use(function (req, res, next) { res.cookie('XSRF-TOKEN', req.session._csrf); res.locals.csrftoken = req.session._csrf; next(); })Not sure if with the new HttpClientXsrfModule it's still required though. It might be enough to add only the following (but need to be confirmed) on the client side in app.module:
HttpClientXsrfModule.withOptions({ cookieName: 'XSRF-TOKEN', headerName: 'X-XSRF-TOKEN' })讨论(0) -
Following is brief guide on how CSRF is handled in backend/server-side implementation when using SpringBoot
The token in CSRF can be associated either with HttpSession or in a cookie
To handle as a cookie, we may pass
.csrfTokenRepository(new CookieCsrfTokenRepository())To handle as a HttpSession, we may pass
.csrfTokenRepository(new HttpSessionCsrfTokenRepository())Even we can have a custom csrf token repository by implmenting CsrfTokenRepository in case we need skip specific url and so on
all above can be used when overriding configure method of WebSecurityConfigurerAdapter
讨论(0) -
Angular2 provides built-in, enabled by default*, anti XSS and CSRF/XSRF protection.
The DomSanitizationService takes care of removing the dangerous bits in order to prevent an XSS attack.
The CookieXSRFStrategy class (within the XHRConnection class) takes care of preventing CSRF/XSRF attacks.
*Note that the CSRF/XSRF protection is enabled by default on the client but only works if the backend sets a cookie named XSRF-TOKEN with a random value when the user authenticates. For more information read up about the Cookie-to-Header Token pattern.
UPDATE: Official Angular2 security documentation: https://angular.io/docs/ts/latest/guide/security.html (Thanks to Martin Probst for the edit suggestion!).
讨论(0)
加载中...
- 热议问题