Security
Priority: P0 (CRITICAL)
Principles
- XSS Prevention: Angular sanitizes interpolated values by default — {{ userInput }} is safe. Do NOT use
innerHTMLunless absolutely necessary (e.g., trusted static CMS content). For user-generated content, display as text with {{ content }} — never as HTML. - Bypass Security: Only bypass security for content you control (e.g., trusted CMS headers). Never call bypassSecurityTrustHtml on user-provided data. Use DomSanitizer.sanitize(SecurityContext.HTML, content) instead of bypass functions. Audit every bypassSecurityTrust* call as a potential XSS vector.
- Route Guards: Protect all sensitive routes with a functional CanActivateFn (e.g., inject(Router).createUrlTree(['/login'])). Apply with canActivate: [authGuard].
Guidelines
- CSP: Configure CSP headers on the server (not in Angular source). Use nonce-based CSP with script-src 'nonce-{nonce}' and avoid unsafe-inline/unsafe-eval.
- HTTP: Use Interceptors to attach secure tokens. Use HttpOnly cookies managed by the server — not localStorage or sessionStorage because they are accessible via XSS.
- Secrets: Never store API keys or secrets in Angular source code or bundle.
Anti-Patterns
- No bypassSecurityTrust: Trust Angular's sanitization; bypass only for verified static content.
- No localStorage for tokens: Use HttpOnly cookies via interceptors for auth tokens.
- No secrets in source: Never embed API keys or secrets in Angular bundle code.
References
- Security Best Practices
- common/security-standards