Security is one of the most important and most challenging tasks faced by an angularjs developer. It’s not that the developer is actually responsible for implementing the security layer—that is not the case at all—but it is very important for an angularjs developer to understand the role that angularjs plays in the overall security model of an application or website.
With that in mind, there are several rules that angularjs developers and backend developers need to remember. Although actually implementing the security layer is not usually the job of an angularjs developer, it is often a collaborative effort for all developers involved in a project. The following rules should always be considered:
- Always use SSL to communicate with REST services that contain private data (HTTPS).
- Always use some type of authentication on each REST service call that contains private data (Basic Authentication, for example).
- Never hold REST service authentication status in a session variable on the server. Doing that opens your server-side application up to cross-origin attacks and other serious security concerns.
- Never implement a Cross-Origin Resource Sharing (CORS) layer that returns
*as the list of allowed domains. For example,
(Access-Control-Allow-Origin: *)would allow all domains to make cross-origin calls to the REST services on the site. Doing that circumvents the browser’s CORS security implementation completely.
One Last Point on Security
The login screen is used just as a way to gather and store the user’s credentials in a safe place temporarily and to control the authentication process for each REST service that contains private data. The user’s credentials are removed after each session and have to be entered again at each login, unless the user chooses to save their credentials.