issuhub.com

Mastering Web Application

(Rick Simeone) #1 
Chapter 7

Implementing this on the server is dependent on your choice of back-end technology,
and is beyond the scope of this book. But in Node.js you could use the https
module as shown in the following code:


var https = require('https');

var privateKey =

fs.readFileSync('cert/privatekey.pem').toString();

var certificate =

fs.readFileSync('cert/certificate.pem').toString();

var credentials = {key: privateKey, cert: certificate};

var secureServer = https.createServer(credentials, app);

secureServer.listen(config.server.securePort);

On the client side, we just have to ensure that the URL used to connect to the server
is not hardcoded to the HTTP protocol. The easiest way to do this is not to provide a
protocol at all in the URL.


angular.module('app').constant('MONGOLAB_CONFIG', {

baseUrl: '/databases/',

dbName: 'ascrum'

});

In addition, we should also ensure that the authentication cookie is restricted to
HTTPS requests only. We can do this by setting the httpOnly and secure options to
true, when creating the cookie on the server.


Preventing cross-site scripting attacks


A cross-site-scripting attack (XSS) is where an attacker manages to inject client-side
script into a web page, when viewed by another user. This is particularly bad if the
injected script makes a request to our server, because the server assumes that it is the
authenticated user who is making the request and allows it.


There are a wide variety of forms in which XSS attacks can appear. The most
common are where user-provided content is displayed without being properly
escaped to prevent malicious HTML from being rendered. The next section explains
how we can do this on the client, but you should also ensure that any user-provided
content is sanitized on the server, before being stored or sent back to the client.


Securing HTML content in AngularJS expressions

AngularJS escapes all HTML in text that is displayed through the ng-bind directive,
or template interpolation (that is text in {{curly braces}}). For example, using the
following model:


$scope.msg = 'Hello, <b>World</b>!';
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.