DEV Community 👩‍💻👨‍💻

Cover image for Angular Security Checklist
Bartosz Pietrucha for Angular

Posted on

Angular Security Checklist

While developing Angular applications we need to pay strong attention to security aspects to prevent, simply speaking from being hacked!

There are many ways we may put our application users in danger and they might be victims of attacks like Cross-site scripting (XSS) or Cross-site request forgery (CSRF). Here is a list of the essential checks you have to perform to raise the level of security of your applications.

👉 Use HttpOnly and Secure cookies,
👉 Sign the cookies and tokens (like JWT) with a strong secret,
👉 Do not store sensitive data in JWT payload,
👉 Ensure your JWT library does not accept alg: none,
👉 Transport all data over HTTPS,
👉 Use Content Security Policy ver. 2,
👉 Do not allow inline scripts (no unsafe-inline),
👉 Use integrity property of all external scripts,
👉 Avoid Angular's bypassSecurityTrust*() methods,
👉 Use CSRF protection with CSRF-Token,
👉 Avoid custom auth library implementation,
👉 Check all API endpoints for role-based authorization,
👉 Use AoT compilation for template checks.

Here you can get a free printable checklist:
Angular Security Checklist PDF

Let me know in the comments if you are aware of all the checks and I will be creating more content covering these aspects!

Top comments (1)

Collapse
 
vatsal2210 profile image
Vatsal Shah

How can we verify each point in the current project?

Need a better mental model for async/await?

Check out this classic DEV post on the subject.

⭐️🎀 JavaScript Visualized: Promises & Async/Await

async await