Stopping malicious attacks and hacks In Angularjs

To be able to allow secure access to legitimate users, there has to be an element of trust between the server and the browser. Unfortunately, there are a number of attacks that can take advantage of this trust. With the correct support on the server, angularjs can provide protection against these security holes.

Preventing cookie snooping (man-in-the-middle attacks)

Whenever you pass data over HTTP between a client and a server, there is an opportunity for third parties to snoop on secure information, or even worse, access your cookies to hijack your session and access the server, as though they were you. This is often referred to as a “man-in-the-middle” attack, see http://en.wikipedia.org/wiki/Man-in-the-middle_attack. The easiest way to prevent these attacks is to use HTTPS rather than HTTP.

Note

Any application, in which sensitive data passes between the application and the server should use HTTPS to ensure that this data is encrypted.

By encrypting the connection using HTTPS, we prevent sensitive data from being read as it passes between the client and the server, and also we prevent unauthorized users from reading authentication cookies from our requests and hijacking our session.

In our application, the requests to the MongoLab DB are already sent over HTTPS from our server. To provide complete security from this kind of snooping, we should also ensure that our client interacts with our server over HTTPS as well. Mostly, this is just a case of getting the server to listen over HTTPS, and the client to make requests over HTTPS.

Implementing this on the server is dependent on your choice of back-end technology, and is beyond the scope of this book. But in Node.js you could use the httpsmodule as shown in the following code:

var https = require('https');
var privateKey  =
  fs.readFileSync('cert/privatekey.pem').toString();
var certificate =
  fs.readFileSync('cert/certificate.pem').toString();
var credentials = {key: privateKey, cert: certificate};
var secureServer = https.createServer(credentials, app);
secureServer.listen(config.server.securePort);

On the client side, we just have to ensure that the URL used to connect to the server is not hardcoded to the HTTP protocol. The easiest way to do this is not to provide a protocol at all in the URL.

angular.module('app').constant('MONGOLAB_CONFIG', {
  baseUrl: '/databases/',
  dbName: 'ascrum'
});

In addition, we should also ensure that the authentication cookie is restricted to HTTPS requests only. We can do this by setting the httpOnly and secure options to true, when creating the cookie on the server.

About the author

Deven Rathore

I'm Deven Rathore, a multidisciplinary & self-taught designer with 3 years of experience. I'm passionate about technology, music, coffee, traveling and everything visually stimulating. Constantly learning and experiencing new things.

Pin It on Pinterest

Shares