block includes include ../_util-fns :marked This page describes Angular's built-in protections against common web-application vulnerabilities and attacks such as cross-site scripting attacks. It doesn't cover application-level security, such as authentication (_Who is this user?_) and authorization (_What can this user do?_). For more information about the attacks and mitigations described below, see [OWASP Guide Project](https://www.owasp.org/index.php/Category:OWASP_Guide_Project). .l-main-section :marked # Contents * [Reporting vulnerabilities](#report-issues). * [Best practices](#best-practices). * [Preventing cross-site scripting (XSS)](#xss). * [Trusting safe values](#bypass-security-apis). * [HTTP-Level vulnerabilities](#http). * [Auditing Angular applications](#code-review). :marked You can run the in Plunker and download the code from there. .l-main-section h2#report-issues Reporting vulnerabilities :marked To report vulnerabilities in Angular itself, email us at [security@angular.io](mailto:security@angular.io). For more information about how Google handles security issues, see [Google's security philosophy](https://www.google.com/about/appsecurity/). .l-main-section h2#best-practices Best practices :marked * **Keep current with the latest Angular library releases.** We regularly update the Angular libraries, and these updates may fix security defects discovered in previous versions. Check the Angular [change log](https://github.com/angular/angular/blob/master/CHANGELOG.md) for security-related updates. * **Don't modify your copy of Angular.** Private, customized versions of Angular tend to fall behind the current version and may not include important security fixes and enhancements. Instead, share your Angular improvements with the community and make a pull request. * **Avoid Angular APIs marked in the documentation as “_Security Risk_.”** For more information, see the [Trusting safe values](#bypass-security-apis) section of this page. .l-main-section h2#xss Preventing cross-site scripting (XSS) :marked [Cross-site scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting) enables attackers to inject malicious code into web pages. Such code can then, for example, steal user data (in particular, login data) or perform actions to impersonate the user. This is one of the most common attacks on the web. To block XSS attacks, you must prevent malicious code from entering the DOM (Document Object Model). For example, if attackers can trick you into inserting a `