How safe are angular route guards? [duplicate]

About

Asked 30/11, 2017 at 15:23 Answered 30/11, 2017 at 15:24

Solved node.js mongodb angular typescript angular-router-guards

I'm making an online store, and there's an administration part from where you can track orders and modify them.

It is protected by authentication, which is done on a node server, passwords is hashed into DB etc. but I'm worried about the route guard still being bypassed.

Henslowe answered 30/11, 2017 at 15:23 Comment(0)

You should be worried.

Route guards provide exactly zero security, like anything else that you implement on the client side. Things you implement on the client side can only be for the users convenience, but not for security.

You need to enforce security on the server side.

Kavanaugh answered 30/11, 2017 at 15:24 Comment(6)

+1. Just curious how we enforce the security on the side side so we can be absolutely sure that the users cannot view the routes that they don't have access to? – Lietman 10/12, 2019 at 23:43

Not sure what you mean. There is no way to enforce anything in the browser. You can always modify the source or even build your own client. If you mean without considering the user modifying the source, the route guards are safe enough. – Galvanoscope 11/12, 2019 at 3:56

Oops sorry my stupid typo. I meant how do we enforce security on the server side so we can be absolutely sure that users cannot view something that they are not supposed to be viewed?. For example: Say I have a super secured API. That doesn't prevent the users from mucking with the Javascript and trick the router guard to viewing a protected page's UI (of course the data is protected. But can't they just see the structure of that page). Or can they even do that? – Lietman 11/12, 2019 at 4:48

I don't understand why you want to prevent someone seeing the app structure. It should be possible to use lazy loading to split your app, for example user and admin part and prevent non-admin users from downloading that part in the web server. If you lazy load modules then Angular should split them up into different files when you build the app. – Galvanoscope 11/12, 2019 at 4:58

Right exactly. I was trying to say admin part vs non-admin part. So yes, your example makes sense. So lazy loading is the way to go. Thanks for your patient responses. – Lietman 11/12, 2019 at 5:15

You also need to restrict the webserver to serve the admin module to admin users only. Lazy loading alone is not enough. A malicious user could still download the module using curl/wget or similar. – Galvanoscope 11/12, 2019 at 5:23

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags