Securing Your Application

In any web application, we must ensure that sensitive data and actions are not
available to unauthorized users. The only really secure place in such an application
is within the server. Outside of this, we have to assume that the code can be
compromised, and so we must put checks in place at the point where data enters or
leaves our server. The first part of this chapter looks at what we must do on both the
client side and the server side to ensure this security, as given in the following points:

• Securing the server to prevent unauthorized access to data and HTML


• Encrypting the connection to prevent snooping


• Preventing cross-site scripting (XSS), and cross-site request forgery
  (XSRF) attacks


• Blocking a JSON injection vulnerability

While security checks must always be done on the server, and this is most critical,
we should also provide a good user experience with a client interface that only gives
the user access to functionality that is appropriate to their permissions. We should
also provide a clean authentication process that does not upset the flow of their
interactions with the application. The second part of this chapter looks at how best
to support this in AngularJS, as given in the following points:

• The difference in securing a stateful, rich client application compared to
  more traditional stateless, server-based applications


• Handling authorization errors from the server by intercepting
  HTTP responses


• Restricting access to parts of the application by securing routes