Safety Angular Application

Question

Safety Angular Application

Navigation

#1 by (7 votes)
#2 by (6 votes)

5

I have questions about security, I'll illustrate:

In my front , in my controller I have this method:

  $scope.getAllpessoaGrid = function (strPesquisa, tipopessoa) {
    $scope.progressbar.start();
    $http.post("/pessoa/getAll", { strPesquisa: strPesquisa, tipopessoa: tipopessoa })
        .success(function (data) {

            $scope.gridOptions.data = data;

        })
        .error(function (error) {

            $scope.progressbar.complete();
        });
};

After running, a JSON is returned, which is exposed in the browser debug, anyone can see the returned data:

How to hide this return from backend ?

angularjs json front-end back-end

asked by anonymous 06.04.2017 / 22:46

2 answers

How to put the regression line on a graph? Format integer value in format "000"

score 7 · Answer 1

Of course it is impossible. Everything running on browser can be accessed (even modified) by the user.

A simple alternative, if any, is to encrypt the string that is returned by the server-side . This increases the complexity of the application a bit because it will always be necessary to decrypt the data that is transmitted from the client to the server and vice versa.

Anyway, if the user is a little "smart" he will be able to see the data, because at some point this will need to be decrypted to be used in the client-side .

In fact, if the user is already able to see this information through the interface it makes sense to hide them from him?

Example of a payload readable

{ "usuario": {"nome": "Jéferson"} }

And in Base64

"eyAidXN1YXJpbyI6IHsibm9tZSI6ICJKw6lmZXJzb24ifSB9"

score 6 · Answer 2

From what I understand from your question, it looks like you are displaying some information to the client via the interface, but the returned JSON is showing more than it should!

I work with Angular on systems that have public access and at the same time, internally, with access control.

What I do to avoid any kind of exposure problem is to return exactly what the user can see in each situation.

Taking a didactic example, using the Laravel framework, I create routes that return something to the end user that has public access, something else for the client, and something else for the administrator.

Example:

  // Só o admin acessa, ele poderá ver tudo
  Route::get('/usuarios/ajax-listar-controle-acesso', function () {
      return Usuario::all();
  });

  // Clientes autenticados acessam, ele pode ver alguns dados
  Route::get('/usuarios/ajax-consulta', function () {
      return Usuario::select('id', 'telefone', 'nome', 'email')->get();
  });

  // Acesso público, informações limitadas para evitar exposições indevidas
  Route::get('/usuarios/ajax-consulta-web', function() {
      return Usuario::select('id', 'nome')->get();
  });

At the end of the day the concern is not the data being exposed in the browser, but rather how and who to expose.

If you want to control what can be returned to the browser, make the logic in the Backend for this.

The security in this case is not fortunate that the end user does not see a sensitive data because he does not know how to access the developer tool, but you do not want to see the data as needed and authorization.