Attending Black Hat? Meet us there! Learn more

Angular Security Best Practices 2025

Ahmad Sadeddin

CEO at Corgea

angular title image

Introduction

Angular is one of the most widely used frameworks for building modern web applications. But with its popularity comes increased attention from attackers. A single overlooked vulnerability can expose users to serious risks like XSS, CSRF, or data leaks.

This guide covers essential Angular security best practices — from handling DOM safely to enforcing HTTPS and CSRF protection — to help developers build secure, production-ready applications.

Keep Angular & Dependencies Updated

Angular regularly releases updates that include security patches, performance improvements, and bug fixes. Using outdated versions of Angular or its dependencies can leave your application vulnerable to known security issues, many of which are documented in public CVE databases and actively exploited.

ng update @angular/core @angular/cli
npm

Use tools like npm audit, or Corgea's supply chain scanner to catch risky dependencies early.

Enable Content Security Policy (CSP)

A Content Security Policy (CSP) is a powerful browser mechanism that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by restricting which sources of content are allowed to load on your web page. By defining a strict CSP header, you can block unauthorized inline scripts, styles, and external resources from running. This significantly reduces the risk of attackers injecting and executing malicious JavaScript.

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'">

Start with strict settings and loosen if needed.

Use HTTPS Only

All Angular apps must run over HTTPS to protect user data and prevent man-in-the-middle (MITM) attacks. Serving your app over HTTP can expose sensitive data — including authentication tokens, API calls, and personal information — to interception or tampering.

  • Set up automatic http → https redirects on your server

  • Use Secure, HttpOnly, and SameSite flags on cookies

Prevent Cross-Site Scripting (XSS)

Angular automatically sanitizes untrusted values used in templates to protect against cross-site scripting (XSS) attacks. This applies to content bindings involving HTML, URLs, styles, and resource URLs — ensuring that malicious scripts can't be injected via user input.

<!-- Safe binding -->
<div [innerHTML]="trustedHtml"></div>
this.trustedHtml = this.sanitizer.bypassSecurityTrustHtml(userInput);

Only use DomSanitizer when absolutely sure of content safety. Never inject raw HTML.

Enable CSRF Protection

Cross-Site Request Forgery (CSRF) is an attack where a malicious site tricks a user's browser into making unauthorized requests to your backend while the user is authenticated. Angular's HttpClient can automatically handle CSRF tokens when working with servers that support the double submit cookie pattern.

How it works:

  • The server sends a CSRF token in a cookie (e.g., XSRF-TOKEN).

  • Angular reads this cookie and automatically adds its value to a custom header (default: X-XSRF-TOKEN) in all mutating requests (POST, PUT, DELETE, etc.).

HttpClientXsrfModule.withOptions({
  cookieName: 'XSRF-TOKEN',
  headerName: 'X-XSRF-TOKEN'
})

Ensure your server validates the token. When using HttpOnly cookies for auth, CSRF protection becomes critical.

Avoid Dangerous APIs

Direct DOM access in Angular — using methods like ElementRef.nativeElement, innerHTML, or eval() — bypasses Angular's built-in security mechanisms and can lead to serious vulnerabilities, especially XSS.

// Instead of this
this.el.nativeElement.innerHTML = userInput;

// Use Renderer2 safely
this.renderer.setProperty(this.el.nativeElement, 'textContent', userInput);

Use Angular Route Guards & Role Checks

Not all parts of your app should be publicly accessible. Route guards help you protect sensitive routes by enforcing authentication and authorization logic before navigation occurs.

Angular provides several types of guards:

  • CanActivate: Prevents access to a route.

  • CanLoad: Prevents lazy-loaded modules from loading.

  • CanActivateChild: Secures child routes.

  • CanDeactivate: Checks before navigating away from a route.

canActivate(): boolean {
  return this.authService.isLoggedIn();
}

Also use role-based visibility checks within templates and components:

<button *ngIf="user.role === 'admin'">Delete</button>

Always enforce permissions on the server as well.

Use HTTP Interceptors for Token Handling

Globally attach JWT tokens and handle errors using interceptors:

request = request.clone({
  setHeaders: { Authorization: `Bearer \${token}` }
});

Also handle 401 errors and redirect to login in one place.

Secure Session Management

  • Use HttpOnly, Secure, SameSite cookies for auth

  • Auto-logout on inactivity (e.g., after 15 minutes)

  • Regenerate tokens after privilege escalation

  • Avoid storing JWTs in localStorage unless absolutely necessary (risk of XSS).

Enable JSON XSSI Protection

Ensure backend prefixes JSON with a non-parseable string (Angular expects this):

)]}',
{"key": "value"}

Angular strips this automatically. It blocks old-style JSON hijacking attacks.

Automate Security Scanning (SAST/DAST)

Set up CI/CD pipelines with:

  • SAST tools like Corgea to detect risky code patterns early

  • DAST to simulate attacks on staging apps

  • Also integrate dependency scanning (SBOMs) to catch vulnerable packages.

# Corgea example scan
corgea scan --path ./src --framework

Enterprise Tip: RBAC Integration

Map user roles to front-end controls and API-level permissions. Use claim-based JWTs or RBAC services like Auth0/Keycloak.

Enterprise Tip: Secure Audit Logging

Log security-critical events (login attempts, data access, config changes). Use Angular interceptors or services to standardize logs sent to your backend.