How secure is AngularJS for code?

[Frank Rocco]

I can easily go into 'view source' and click on the link to the app's script and see all of the code.

[Sander Elias]

Hi Frank,

Your app runs (usually) in a browser. So angular is no exception for any other, you can view the source of your app. 

However, Angular 2 will have a way to run it on your server, and only server the resulting HTML. That way you ca keep some/most off your app on the server.  (You still need some JS on the client, no way around that)

However, this has very little to do with code security. Using angular makes your code more secure as it would be without it.  For an 'attacker it's a whole lot more complex to tamper with your application.

But you have to realize, that if your expose your application to the web(this is even true for non-web apps!) security is at stake, and it is something you only can battle at your server. 

Regards

Sander 

[Frank Rocco]

Thanks for getting back to me. I was more concerned about protecting business logic, as the js files can be viewed.

I did not know that Angular 2 would have an option to protect this.

Thanks

[Sander Elias]

Hi Frank,

Well, you should keep the 'trade-secret' stuff on your server. But in real practice, there is very little that does qualify. Really think about it. the calculations you need to do invoicing are not really a trade secret right? Stock management? Right, you have to keep that under under close guard, no other company around has cracked that yet.. ;)

Most things are just way too common, and handled in every business alike. Sure there is some stuff you don't want to expose, but often that is in the data, not in the way the data is handled. For example calculating colors for paint. to get a certain color, you need to know the exact data to reproduce a certain color. Every paint company knows how to calculate this. So, is there then a 'trade-secret' in there?

(just a singled out example!)

With kind regards

Sander 

 

[Frank Rocco]

Thanks again... I appreciate your feedback.

[Martin Wawrusch]

In general you will want to minify and uglify your source (js, css). Look here: https://www.npmjs.com/package/gulp-uglify  and typical angular 2 seed packages. 

[Sander Elias]

Hi Martin,

Sure, but that's a separate issue. Uglyfying your code tend to obscure it a bit, but it does not add anything with regards to security!

Regards

Sander

[Long Field]

So  Uglyfying, can speed up loading but not helpful for security

[Sander Elias]

Hi Long,

So  Uglyfying, can speed up loading but not helpful for security

That is correct. There is no added security by using uglify.

Regards

Sander

[Anthoni Gardner]

Hi Long Field,

I am facing a very similar prospect at the moment.
I am currently building a Web Application using angular 1 (for some reason I can not seem to get my head around ng2 at the moment, but that's another matter).

In this application we have users who login through an authenticator and then are given 'access levels' to certain parts of the software.
Some access levels allow full access, others do not.

True Angular does make getting access to your code a little trickier, but if you know Angular you can still get access. After all they are just Javascript Objects buried beneath the main Window Object.
The way that I've solved it personally is to show the visual limitation on the client (ala Browser) BUT ALWAYS verify their access on the server side. So even if they do change it client side,
they still can not access it server side. I will show them a warning or something (now worked that part out yet).

Hope this helps.

Regards
Anthoni