How does Angular handle XSS or CSRF?

TheHeroOfTime picture TheHeroOfTime · Apr 13, 2016 · Viewed 26.5k times · Source

How does Angular (2) handle XSS and CSRF. Does it even handle these attacks? If so, what do I have to do to use this protection? If not, do I have to handle all these attacks in my server, or somehow with TypeScript in the frontend?

I have read that you have to use "withCredentials: true", but I'm not quite sure where to put this code or if it is even that, what I'm looking for.

In the https://angular.io/ webpage I didn't find anything about this (or I just missed it).

Answer

Daniel Gartmann picture Daniel Gartmann · May 24, 2016

Angular2 provides built-in, enabled by default*, anti XSS and CSRF/XSRF protection.

The DomSanitizationService takes care of removing the dangerous bits in order to prevent an XSS attack.

The CookieXSRFStrategy class (within the XHRConnection class) takes care of preventing CSRF/XSRF attacks.

*Note that the CSRF/XSRF protection is enabled by default on the client but only works if the backend sets a cookie named XSRF-TOKEN with a random value when the user authenticates. For more information read up about the Cookie-to-Header Token pattern.

UPDATE: Official Angular2 security documentation: https://angular.io/docs/ts/latest/guide/security.html (Thanks to Martin Probst for the edit suggestion!).