Add Section: AngularJS Security

[DinisCruz]

And make reference to the research on XSS issues with server-rendered Angular templates

Other references and good articles:

• https://docs.google.com/a/owasp.org/presentation/d/1347saovLLeQ9y-WRElKXg26fHNGnbrUFhft_2m4rOwc/edit#slide=id.g2564a3b67_056
• https://medium.com/opinionated-angularjs/techniques-for-authentication-in-angularjs-applications-7bbf0346acec
• https://code.google.com/p/mustache-security/wiki/AngularJS
• https://www.youtube.com/watch?v=18ifoT-Id54
• some references in https://docs.angularjs.org/misc/faq
• http://stackoverflow.com/questions/20870386/authentication-with-angularjs-session-management-and-security-issues-with-rest
• https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/
• http://www.frederiknakstad.com/2013/01/21/authentication-in-single-page-applications-with-angular-js/
• http://blog.brunoscopelliti.com/authentication-to-a-restful-web-service-in-an-angularjs-web-app

[DinisCruz]

(note from email I sent on this topic)

---

I don't think that AngularJS suffers from the same type of vulns that we see in Spring MVC since by definition all assets are already on the AngularJS client :)

The issues with AngularJS tend to be around XSS, how to use CSP (angular is making very good progress in making it part of the core API and secure by default) and how to integrate with backend security controls (like authentication and authorisation)

That said, when devs start playing with directives, there is the possibility into inject html and javascript in there (although there is some AngularJs protection here).

have you seen https://code.google.com/p/mustache-security/wiki/AngularJS#AngularJS_1.2.0-rc.2