Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Angular Apps Brian Noyes

Published byMaria Hodges Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing Angular Apps Brian Noyes"— Presentation transcript:

1 Securing Angular Apps Brian Noyes
CTO & Co-founder, Solliance Inc ( @briannoyes

2 Visual Studio Connections
About Brian Noyes CTO and Co-founder, Solliance Microsoft Regional Director Microsoft MVP Pluralsight author Web API Insider, Windows Azure Insider, Window Store App Insider, C#/VB Insider t e @briannoyes Updates will be available at

3 Agenda Security in the SPA Architecture Authentication options
Securing SPA pages Securing Web API calls Dealing with CORS Protecting against CSRF Client security context

4 What does it mean to “secure”?
More than just “logging in” Authentication Authorization Transport protection Cross Origin Resource Sharing (CORS) Cross Site Request Forgery (CSRF/XSRF) Cross Site Scripting (XSS) User and access control management

5 Single Page App Architecture
Single Page Application Presentation (HTML/CSS) UI Logic (JavaScript) Data/Service Access – Client Services (JS) Server Web Service Web Service UI Rendering Database

6 Securing SPA Pages Leverage server page rendering security
Block return of root SPA page Block return of HTML fragments and/or JavaScript Only really makes sense if the structure or static content of your pages are sensitive Most content in a SPA delivered as “data” via Web API calls

7 Securing Web API Calls Need to decide on authentication mechanism
No automatic redirects to login page for service calls – must present valid authorization token Cookie or Authorization header Set up depends on your back end technology Up to server to allow the calls or not Validates the token or cookie based on shared secret trust relationship with the Authorization Server Might supplement the Authorization Server claims with more fine grained app specific claims

8 Authentication Options
Windows authentication Basic authentication Cookie-based authentication with host site Token-based authentication (STS)

9 Protecting against CSRF
Cross Site Request Forgery Important concern with SPAs due to prevalence of Web API calls Only relevant when using cookie authentication with AJAX calls Browser automatically sends cookie based on host address for request, even from other tabs ASP.NET MVC has built in support Layer on a two-factor protocol for validating request Web APIs require manual means Can mimic what MVC does Using Bearer tokens for authorization helps to avoid

10 Token Authentication Options
.NET Backend ASP.NET Identity IdentityServer NodeJS Backend Passport, etc. Commercial option Auth0 Each of the above can act as an “Authorization Server” or Security Token Service (STS) for one or more apps

11 Token-based Redirect Browser 3 4 1 6 2
Login Page POST Credentials 4 Set JSON Cookie 7 1 6 {…} 2 OIDC Authentication Request JWT Authenticate Issue Claims Web Site DB STS 5 OpenID Connect (OIDC) Authentication Request

12 OAuth2 Implicit Flow SPA 6 App 2 3 5 1 7 OAuth2 Implicit Flow Java
{…} Java Script 2 Login Page POST Credentials 3 5 OAuth2 Implicit Flow 1 {…} 7 JWT {…} DB Web API STS Authenticate Issue Claims 4 OAuth2 Implicit Flow

13 Dealing with CORS Cross Origin Resource Sharing
Web APIs on a different host than pages rendered from Built in to all modern browsers Simple CORS GET/POST, form encoded, no additional header Sends Origin header in request, expects Access-Control-Allow-Origin in response Most CORS Sends “preflight” OPTIONS request specifying what is being requested (Verb, headers, cookies,etc) Destination server decides who gets in Have to populate appropriate headers in your $http service calls Automatic with Angular $http service with right configuration

14 Client Security Context
Client may collect credentials to send to authentication server for validation Resource owner password flow Discouraged in OAuth2 spec Can track success or failure of login process Can obtain claims from returned tokens Can request server authorization roles/claims Should only be used to drive client UX – not treated as “securing the app” Hide/show navigation links Enable features

15 Protecting Against XSS
Script injection through input controls Angular protection: ngSanitize

16 Resources ASP.NET Identity: http://www.asp.net/identity
@briannoyes ASP.NET Identity: ASP.NET SPA Template: IdentityServer: Pluralsight courses: Web API v2 Security: Securing JavaScript Applications:

17 Please use Event Board to fill out a session evaluation.
Questions? Please use Event Board to fill out a session evaluation. Thank you!

Download ppt "Securing Angular Apps Brian Noyes"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
App development in SharePoint 2013 LIVE Introducing Cloud App Model Cloud-hosted Apps Experiences from the Field.

App development in SharePoint 2013 LIVE Introducing Cloud App Model Cloud-hosted Apps Experiences from the Field.
Understanding SharePoint 2013 Add-In Security Vulnerabilities

Understanding SharePoint 2013 Add-In Security Vulnerabilities
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Remotely authenticating against the Service Framework.

Remotely authenticating against the Service Framework.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
© 2010 Cisco and/or its affiliates. All rights reserved. 1 Web Security Fear, Surprise, and Ruthless Efficiency Mary Ellen Zurko.

© 2010 Cisco and/or its affiliates. All rights reserved. 1 Web Security Fear, Surprise, and Ruthless Efficiency Mary Ellen Zurko.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Krishna Mohan Koyya Glarimy Technology Services

Krishna Mohan Koyya Glarimy Technology Services
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

Similar presentations

Ads by Google