All geek questions in one place

How secure - if you hide protected information

My HTML page should display a div (contains protected information) based on permission.

  • How safe is it to use ng-if to hide the div in this script?
  • Will the user hack and view the div that contains the protected information?
+6
source share
5 answers

You should not hide anything for security reasons in the "front-end" (ie using Angular). It’s trivial for the user to access content hidden with ng-if , ng-show , ng-hide , etc.

Instead, you should hide this data on the internal server and never transfer it to the browser in the first place.

A simple safety rule . If the browser has access to it, then the user.

+15
source

Adding to those already mentioned in these answers, you should keep in mind that when running webapps, the user has access to all of your client code. Thus, you should not even think about hiding sensitive data on the client side.

In addition, you should know a little more about the differences between ng-if and ng-show , ng-hide . Quote from AngularJS website

ngIf differs from ngShow and ngHide in that ngIf completely removes and recreates the element in the DOM, rather than changing its visibility using the css display property. A common case where this difference is significant is the use of css selectors that rely on the position of an element in the DOM, such as the first-child or: last-child pseudo-classes.

Therefore, it is NOT safe to hide sensitive data in the interface. Depending on the user's permission level, you can make a separate API call to retrieve the data. On the server, check the permission and answer the corresponding answer.

+6
source

ng-if does not display related information in the view. However, it depends on the data in the $ area, regardless of whether or not to display information. In addition, the information displayed is also in the $ scope area. Using browser extensions such as Batarang (or even simple javascript), the user can display the entire $ scope hierarchy with the contained values.

So ... no :) don't expect AngularJS to hide your sensitive information

+3
source

How safe is it to use ng-if to hide the div in this script?

Not at all safe.

Will the user hack and view the div that contains the protected information?

Absolutely, yes.

+2
source

In fact, in angular js you can debug, so the user can access the object you use to switch ng-if and change its property. you can use ng-bind-html and bing that div as a module that will be more secure but not complately

+2
source

Source: https://habr.com/ru/post/979837/

More articles:


All Articles