Securing Your Application
We could delete templates from the $templateCache service, either selectively or
even completely at various points in the application. For instance, we could clear
out restricted templates when navigating away from a restricted route, or when
logging out. This can be complicated to manage, and the safest method is perhaps to
completely reload the page, that is, to refresh the browser, when the user logs out.
Reloading the application, by refreshing the browser page, has the
added benefit of clearing out any data that may have been cached in
AngularJS services.Stopping malicious attacks
To be able to allow secure access to legitimate users, there has to be an element of
trust between the server and the browser. Unfortunately, there are a number of
attacks that can take advantage of this trust. With the correct support on the server,
AngularJS can provide protection against these security holes.
Preventing cookie snooping (man-in-the-middle attacks)
Whenever you pass data over HTTP between a client and a server, there is an
opportunity for third parties to snoop on secure information, or even worse,
access your cookies to hijack your session and access the server, as though
they were you. This is often referred to as a "man-in-the-middle" attack, see
http://en.wikipedia.org/wiki/Man-in-the-middle_attack. The easiest
way to prevent these attacks is to use HTTPS rather than HTTP.
Any application, in which sensitive data passes between the
application and the server should use HTTPS to ensure that this
data is encrypted.By encrypting the connection using HTTPS, we prevent sensitive data from
being read as it passes between the client and the server, and also we prevent
unauthorized users from reading authentication cookies from our requests and
hijacking our session.
In our demo application, the requests to the MongoLab DB are already sent over
HTTPS from our server. To provide complete security from this kind of snooping,
we should also ensure that our client interacts with our server over HTTPS as well.
Mostly, this is just a case of getting the server to listen over HTTPS, and the client to
make requests over HTTPS.