Security Application Angular

Asked

Viewed 1,163 times

5

I have questions about safety, I will exemplify :

In my front, in my controller have that method:

  $scope.getAllpessoaGrid = function (strPesquisa, tipopessoa) {
    $scope.progressbar.start();
    $http.post("/pessoa/getAll", { strPesquisa: strPesquisa, tipopessoa: tipopessoa })
        .success(function (data) {

            $scope.gridOptions.data = data;

        })
        .error(function (error) {

            $scope.progressbar.complete();
        });
};

After running, one is returned JSON, which remains exposed in the browser debug, anyone can see the returned data:

inserir a descrição da imagem aqui

How to hide this return from backend?

  • Young man, have any of the answers solved your problem? If yes, mark it as correct, otherwise leave a comment to let us know what can be improved.

2 answers

8

Naturally it is impossible. Everything that runs in the browser can be accessed (until modified) by the user.

A simple alternative, if any, is to encrypt the string which is returned by server-side. This increases the complexity of the application a little because it will always be necessary to decrypt the data that is transmitted from client to server and vice versa.

Anyway if the user is a little "smart" will be able to see the data, because at some point this will need to be decrypted to be used in client-side.

In fact, if the user will already be able to see this information through interface it makes sense to hide them from him?

Example of a payload readable

{ "usuario": {"nome": "Jéferson"} }

And in Base64

"eyAidXN1YXJpbyI6IHsibm9tZSI6ICJKw6lmZXJzb24ifSB9"
  • 2

    Agreed! It is no use to cover the sun with the sieve. If the problem is to return more than it should, the solution is to make the backend return only what can only be seen. There is no camouflage that can inhibit a misused user.

8

From what I understand from your question, it seems that you are displaying some information to the client via interface, but the returned JSON is showing more than it should!

I work with Angular in systems that have public access and at the same time, internally, with access control.

What I do to avoid any kind of exposure problem is to return exactly what the user can see in each situation.

Taking a didactic example, using the Laravel framework, I create routes that return one thing to the end user who has public access, another thing to the client, and yet another thing to the administrator.

Example:

  // Só o admin acessa, ele poderá ver tudo
  Route::get('/usuarios/ajax-listar-controle-acesso', function () {
      return Usuario::all();
  });

  // Clientes autenticados acessam, ele pode ver alguns dados
  Route::get('/usuarios/ajax-consulta', function () {
      return Usuario::select('id', 'telefone', 'nome', 'email')->get();
  });

  // Acesso público, informações limitadas para evitar exposições indevidas
  Route::get('/usuarios/ajax-consulta-web', function() {
      return Usuario::select('id', 'nome')->get();
  });

At the end of the day the concern is not the data being exposed in the browser, but how and to whom to expose.

If you want to control what can be returned to the browser, make the logic in Backend for this.

The security in this case is not counting on the luck that the end user does not see a sensitive data because he does not know how to access the developer’s tool, but rather you take care to display the data as needed and authorized.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.