Angular Security: Checklist

July 4, 2023 · VIKTORIIA TARAN & AMINA MURTAZINA & NIKITA HORIUK

As we promised before, we are sharing our Angular-only checklist. It should serve as a starting point, indicating areas to look into. You can also use it at the end of the assessment to ensure you haven’t missed anything!

The Checklist

Verify that:

• Angular is considered a client-side framework and is not expected to provide server-side protection
• Sourcemap for scripts is disabled in the project configuration
• Untrusted user input is always interpolated or sanitized before being used in templates
• The user has no control over server-side or client-side templates
• Untrusted user input is not passed to Angular classes such as ElementRef ,Renderer2 and Document, or other JQuery/DOM sinks
• Untrusted user input is sanitized using an appropriate security context before being trusted by the application
  • BypassSecurity* methods are not used with untrusted input

Last words

We hope this checklist will be as valuable and useful to you as it is to us. If you are a developer, consider integrating security testing and code reviews into your development process to ensure that security is a top priority in your Angular projects.

📣 We would love to hear your feedback!

If you have any comments or suggestions regarding the security checklist, please share them with us via email (contact@leviathansecurity.com). Your feedback will help the other professionals make the world more secure!