1

I try to make my single page app more secure. In code I have post request witch return user information.

user: {
    city: "USA"
    company: "1"
    country: "Boston"
    email: "[email protected]"
   favorList: "17 8 7 1"
   id: "46"
   name: "Alex"
   password: "d89885b09d30673f2a8321eeb1f8ab3bb3p6f"
   phone: "+7(000)000-09-00"
   role: "user"
   settings: "false true"
   viewingList: "8 17 143 138"
}

Some vields of this object I use for ng-show/ng-if/ng-hide/ng-switch managing html on templates. For example: <div ng-if="user.role == 'administrator'" or <div ng-if="user.role == 'user'"

But user can open in chrome development tools and retype user role, then go to templates and get administator rites.

How I can fix that?

Improve this question
7
  • Use a server side check.
    – Praveen Kumar Purushothaman
    Commented Dec 7, 2015 at 15:31
  • Never bring all that data from BackEnd to FrontEnd. Always check the role on server side use session or something to know what user is logged get the user ask DB about user roles.
    – Jose Rocha
    Commented Dec 7, 2015 at 15:35
  • On server side i have such checking. User loggin => get an object. Some how I heed to manage html based on user role. So I have to pass t UI user role variable but I need to secure it some how.
    – Darien Fawkes
    Commented Dec 7, 2015 at 15:37
  • If you only need the roles from user on front end, just send the roles for the user, dont send the password of the user on the object
    – Jose Rocha
    Commented Dec 7, 2015 at 15:38
  • No, you don't, you just need to pass back some form of flag. The point was that on the server side you need to re-check authorization to see if the user can take the action they're trying to take--you cannot rely on the front end to only send appropriate requests.
    – Dave Newton
    Commented Dec 7, 2015 at 15:38

2 Answers 2

Reset to default
2

Javascript is by definition of a client side-script, an insure language. Objects and functions can be altered either by injected js, or by the user directly in the browser.

Therefore it is very important not to be depending on js to secure your application. Normally the js / angular layer of your application would only provide a fancy user interface, it can contain some simple business logic or checks, but only to make things smoother or faster for the user (if you can check an email address client side before sending the address to the server, you should). However, this UI 'talks' with your server side code, and there you should have another security layer which prevents operations for which the user is not authorized.

So in short, use js for your user interface and use the speed of client side scripts to your advantage, but make sure to encapsulate your server side calls with their own security layer to prevent unauthorized calls.

There is no way to prevent tampering with your data in js, so make sure that tampering cannot leak information or change data which the user has no access to.

Regards,

Sem

Improve this answer
2

There is no way to prevent a user from modifying the dom in their browser.

The only reason why you would expose such properties as "user role" to the client side is if you use it to change something aesthetically. Modifying it should have no effect on how their account behaves.

Such data should be stored on the server side only in the session and/or database

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.