How effectively can I use angularjs keeping securi

2020-05-03 12:58发布

问题:

Why should I use angular.js or other like js frameworks when I know they are not secured.

What I mean by security is:

  • All the code is written in pure javascript. The javascript can be edited in devtools or firebug. Something like form submission can be easily manipulated. Even if I try to do server side validations for all the http requests, I end up doing double the work.

How can I effectively use angularjs keeping above in mind?

Thanks.

回答1:

All client side code is susceptible to modification. For that reason you don't put anything that needs to be secure into the client code. The client code should define the view elements for the end user and give them an easy means to communicate with the server. Regarding security 99% of this needs to be handled server side by appropriately protecting the data that is sensitive. In terms of server to client communication you need to use SSL. Angular has some things built in to help with security see $sce and ngSanitize but IMHO your back-end should be safe because anyone can re-write a front end or use a command line tool to send various curl requests at the server until something gives. The client code really has no need to contain anything proprietary outside of the client code itself if that's your concern you can use obfuscation tools but ultimately even compiled code can be decompiled or disassembled .



回答2:

You should always do both client and server-side validation. No matter what library you're using, this is required. It shouldn't be seen as "double" the work. It's just "the work".

Even if you weren't using Angular (or another Javascript library), I could still use devtools to make a request via Javascript to your server - it still needs to handle it.

If you're worried about code security, you can use an obfuscation/minification tool.



回答3:

Of course you should use minification js tool for your client side code if you worried about its logic. But keep in ming this:

  • Do not keep service info (like many id`s and etc.) on client
  • And always use both type of validation in dangerous places
  • Use crypto/tokens