Reputation: 47
How to secure page with angular (6) & server side
There is a really good way to secure private pages with angular? (I know there is but I can't get it).. I searched a lot this question and all the information I was found looks the same and don't really give me a solution
How is angular can secure pages (like admin panel) with any server side? I'll explain what i mean..
I know that we can create a server side code which go to his own storage (db etc..) and check the credentials that angular send against his credentials.
BUT - no matter what is the answer from the server side (lets say PHP or Firebase etc..), the user can change the code in angular since it's generated into JS eventualy!
lets say my angular code is like:
somecode..
somecode..
somecode..
if (serverside.respone == true) {
goto AdminPanel page;
} else {
alert('not authorized!');
}
somecode..
somecode..
somecode..
When I open my devtools in chrome, after I run my app (with ng serve), I can easly look into the "main.js" source file, and easly change this code to this:
somecode..
somecode..
somecode..
if (1 == 1) {
goto AdminPanel page;
} else {
alert('not authorized!');
}
somecode..
somecode..
somecode..
Then what? ofcourse this is not secure.. (I also tried it and awre i'm right) Please help me understand what I missing!
Thanks!
Upvotes: 1
Views: 1197
Answers (2)
Reputation: 1549
The front-end is mostly responsible to show and send data to the server and the server is responsible to store and process the data.
Meaning that the server is responsible to check if the user is Authenticated (is logged) and has permissions to access that page (Authorized). As Saravana said, JWT is a good technique to guarantee that the user is Authenticated and have permission to access that data.
But that doesn't mean you shouldn't take care of security. The front-end environment should be taken care mostly with XSS attacks. But the good news is the Angular have a lot of things to take care of XSS, but you still need to implement a feels things by your own, like JWT and Route guards for example.
Upvotes: 0
Reputation: 191
Angular or any other client side frameworks should contains only UI Logic. Exposing UI logic is not a security thread.
The Server side webapi should have proper Authentication and Authorization.
JWT (JSON Web Token) are used to securely access the server side API.
As you said, user can modify the code if (1 == 1) , But User can See the UI.. not Data. You should validate the credentials at server side and provide the data to the client
Upvotes: 3
Related Questions
- Security in front-end applications
- Secure admin panel with AngularJS
- Angular - Protected Pages
- Handling authentication with angular front-end -> How to protect specific pages?
- Controller level security in angular
- Securing HTML in AngularJS + ASP.NET
- How to ensure real security in a client side angular app
- Angular JS security best practice
- How effectively can I use angularjs keeping security in mind?
- How to enforce single page web app security?