Angular如何处理XSS或CSRF? [英] How does Angular handle XSS or CSRF?

问题描述

Angular(2)如何处理XSS和CSRF.它甚至可以应对这些攻击吗? 如果是这样，我该怎么做才能使用此保护?如果没有，我是否必须处理服务器中的所有这些攻击，或者以某种方式使用前端的TypeScript?

How does Angular (2) handle XSS and CSRF. Does it even handle these attacks? If so, what do I have to do to use this protection? If not, do I have to handle all these attacks in my server, or somehow with TypeScript in the frontend?

我已经读到您必须使用"withCredentials: true"，但是我不确定要在哪里放置此代码，或者即使是这样，我也在寻找什么.

I have read that you have to use "withCredentials: true", but I'm not quite sure where to put this code or if it is even that, what I'm looking for.

在 https://angular.io/网页上，我没有找到任何关于此的信息(或者只是错过了.)

In the https://angular.io/ webpage I didn't find anything about this (or I just missed it).

推荐答案

Angular2 提供内置功能，默认情况下启用*，反 XSS 和 CSRF/XSRF 保护.

Angular2 provides built-in, enabled by default*, anti XSS and CSRF/XSRF protection.

DomSanitizationService 很小心为了防止 XSS 攻击而删除危险位的方法.

The DomSanitizationService takes care of removing the dangerous bits in order to prevent an XSS attack.

CookieXSRFStrategy 类(在XHRConnection类)负责防止 CSRF/XSRF 攻击.

The CookieXSRFStrategy class (within the XHRConnection class) takes care of preventing CSRF/XSRF attacks.

*请注意，默认情况下在客户端上启用了 CSRF/XSRF 保护，但仅当后端设置了一个名为 XSRF-TOKEN 的cookie时，该保护才有效.用户进行身份验证.有关更多信息，请阅读有关 Cookie-to-Header令牌模式.

*Note that the CSRF/XSRF protection is enabled by default on the client but only works if the backend sets a cookie named XSRF-TOKEN with a random value when the user authenticates. For more information read up about the Cookie-to-Header Token pattern.

更新:Angular2官方安全文档: https://angular.io/docs/ts/latest/guide/security.html (感谢Martin Probst的编辑建议！).

UPDATE: Official Angular2 security documentation: https://angular.io/docs/ts/latest/guide/security.html (Thanks to Martin Probst for the edit suggestion!).

这篇关于Angular如何处理XSS或CSRF?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！