CtrlK
BlogDocsLog inGet started
Tessl Logo

angular-security

Harden Angular apps against XSS, CSP violations, and unauthorized access. Use when implementing XSS protection, Content Security Policy, or auth guards in Angular.

66

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Security

Priority: P0 (CRITICAL)

Principles

  • XSS Prevention: Angular sanitizes interpolated values by default — {{ userInput }} safe. NOT use innerHTML unless absolutely necessary (e.g., trusted static CMS content). For user-generated content, display as text with {{ content }} — never as HTML.
  • Trusted HTML APIs: Mark HTML as trusted only for content you control (e.g., vetted CMS headers). Never mark user-provided data as trusted. Prefer DomSanitizer.sanitize(SecurityContext.HTML, content) and review every trust-marking call as a potential XSS vector.
  • Route Guards: Protect all sensitive routes with functional CanActivateFn (e.g., inject(Router).createUrlTree(['/login'])). Apply with canActivate: [authGuard].

Guidelines

  • CSP: Configure CSP headers on server (not in Angular source). Use nonce-based CSP with script-src 'nonce-{nonce}' and avoid unsafe-inline/unsafe-eval.
  • HTTP: Use Interceptors to attach secure tokens. Use HttpOnly cookies managed by server — not localStorage or sessionStorage because they accessible via XSS.
  • Secrets: Never store API keys or secrets in Angular source code or bundle.

Anti-Patterns

  • No trust-marking on user input: Trust Angular's sanitization; reserve trusted HTML APIs for verified static content only.
  • No localStorage for tokens: Use HttpOnly cookies via interceptors for auth tokens.
  • No secrets in source: Never embed API keys or secrets in Angular bundle code.

References

  • Security Best Practices
  • common/security-standards
Repository
HoangNguyen0403/agent-skills-standard
Last updated
Created

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.