Security features in angularjs

Question

Hi i would like to know about the security features of angular js.I have read that angular provide built in protection from basic security holes.

1. It Prevents cross-side-scripting attacks.
2. Prevents HTML injection attacks.
3. Prevent XSRF protection for server side communication.

what are the best practice to make a secured angular app, does ngCsp,$sce and $sanitize are really required for a secured webapp

Answer 1

You can enable AngularJS CSP support. More details here. Sample code below:

<!doctype html>
<html ng-app ng-csp>
...
...
</html>

ng-csp forces you not use code that can be injected like eval and Function. ng-sanitize from doc.

The input is sanitized by parsing the HTML into tokens. All safe tokens (from a whitelist) are then serialized back to properly escaped html string. This means that no unsafe input can make it into the returned string, however, since our parser is more strict than a typical browser parser, it's possible that some obscure input, which would be recognized as valid HTML by a browser, won't make it through the sanitizer. The input may also contain SVG markup. The whitelist is configured using the functions aHrefSanitizationWhitelist and imgSrcSanitizationWhitelist of $compileProvider.

It simply you can not attach any peace of code using innerHTML.

For $sce, you can refer following links. TrustasHTML and and its nice tutorial.

Apart from this, you can use auth token.

Edit: You can verify the input in backend to make sure no injection have been made.