问题描述
Angular(2)如何处理XSS和CSRF.它甚至可以应对这些攻击吗?如果是这样,我该怎么做才能使用此保护?如果没有,我是否必须处理服务器中的所有这些攻击,或者以某种方式使用前端的TypeScript?
How does Angular (2) handle XSS and CSRF. Does it even handle these attacks?If so, what do I have to do to use this protection? If not, do I have to handle all these attacks in my server, or somehow with TypeScript in the frontend?
我已经读到您必须使用"withCredentials: true
",但是我不确定要在哪里放置此代码,或者即使是这样,我也在寻找什么.
I have read that you have to use "withCredentials: true
", but I'm not quite sure where to put this code or if it is even that, what I'm looking for.
在 https://angular.io/网页上,我没有找到任何关于此的信息(或者只是错过了.)
In the https://angular.io/ webpage I didn't find anything about this (or I just missed it).
推荐答案
Angular2 提供内置功能,默认情况下启用*,反 XSS 和 CSRF/XSRF 保护.
Angular2 provides built-in, enabled by default*, anti XSS and CSRF/XSRF protection.
DomSanitizationService 很小心为了防止 XSS 攻击而删除危险位的方法.
The DomSanitizationService takes care of removing the dangerous bits in order to prevent an XSS attack.
CookieXSRFStrategy 类(在XHRConnection类)负责防止 CSRF/XSRF 攻击.
The CookieXSRFStrategy class (within the XHRConnection class) takes care of preventing CSRF/XSRF attacks.
*请注意,默认情况下在客户端上启用了 CSRF/XSRF 保护,但仅当后端设置了一个名为 XSRF-TOKEN 的cookie时,该保护才有效.用户进行身份验证.有关更多信息,请阅读有关 Cookie-to-Header令牌模式.
*Note that the CSRF/XSRF protection is enabled by default on the client but only works if the backend sets a cookie named XSRF-TOKEN with a random value when the user authenticates. For more information read up about the Cookie-to-Header Token pattern.
更新:Angular2官方安全文档: https://angular.io/docs/ts/latest/guide/security.html (感谢Martin Probst的编辑建议!).
UPDATE: Official Angular2 security documentation: https://angular.io/docs/ts/latest/guide/security.html (Thanks to Martin Probst for the edit suggestion!).
这篇关于Angular如何处理XSS或CSRF?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!