Saturday, May 21, 2016

How to secure your AngularJS application?

Securing your AngularJS application is always a concern for developers. Being a JavaScript framework, most of the things are done on the client side and thus people viewing the Source of the page usually get to know the business logic flow, security tokens, keys etc unless you took care of it.

Finahub has developed an Aadhaar ESign application which had gone through several rounds of security audits. We have used AngularJS as the front end framework, we have done many things to make sure our application is secure in every aspect. So we thought of sharing our experience with other fellow developers. Following are the security risks that may affect an Angular app and the solutions to each of them.

1. Cross-Site Request Forgery


When a web server is designed to receive a request from a client without any mechanism for verifying whether it was intentionally sent by the authenticated user or not, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic intended request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in the exposure of data or unintended code execution.


The angular framework has a built-in XSRF feature which can be used to prevent this.

 The Angular $http service will do these things automatically:

  • Look for a cookie named XSRF-TOKEN on the current domain.
  • If that cookie is found, it reads the value and adds it to the request as the X-XSRF-TOKEN header.

Thus the client-side implementation is handled for you, automatically! But this does leave the server side pieces in your hands. You will need to do the following parts:

  • During login: create the CSRF token (with a random, un-guessable string), and associate it with the user session. You will need to send it on the login response as the XSRF-TOKEN cookie.
  • Assert that all incoming requests to your API have the X-XSRF-TOKEN header and that the value of the header is the token that is associated with the user’s session.

This small backend work will protect your application from CSRF attacks.

2. Improper Input Validation


If you are using the validation framework of AngularJS, you might surely have this problem. The java-script validations can be easily turned off and people can submit unwanted content to input fields This weakness leads to almost all of the major vulnerabilities in web applications, such as cross-site scripting, SQL injection, interpreter injection, locale/Unicode attacks, file system attacks, and buffer overflows.


The only foolproof way to fix this is to do all input validations in server side too. Client-side validation of Angular is helpful for users, but for attackers who may alter the javascript, we need to make sure nothing get through the server side validation.

3. Business flow Vulnerability


In Angular framework application we normally control the process flow or business flow by showing or hiding sections of page. Its very convenient for users to experience this as its very fast and require no page reload. But for attackers , they can easily alter the Javascript to show or hide sections of html page. They may also be able to skip various steps in a business flow and perform the final step directly. This is a serious security risk.


Server side business flow check is a must to prevent this. The application must have checks in place ensuring that the users complete each step in the process in the correct order and prevent attackers from circumventing any steps/processes in the workflow. Test for workflow vulnerabilities involves attempts to execute the steps in the process in an inappropriate order.

4. Vulnerable JavaScript Library


Some older AngularJs JavaScript librarys are said to have reported vulnerabilities. Eg: Version 1.2.29


Make sure you are using the latest version of AngularJs library

We hope this blog was really helpful for making your Angular application secure. Feel free to get in touch with us via [email protected].