block includes
include ../_util-fns
:marked
Web application security has many aspects. This chapter describes Angular's built in
protections against common web application vulnerabilities and attacks, such as Cross Site
Scripting Attacks. It does not cover application level security, such as authentication (_Who is
this user?_) or authorization (_What can this user do?_).
The [Open Web Application Security Project (OWASP)](https://www.owasp.org/index.php/Category:OWASP_Guide_Project)
has further information on the attacks and mitigations described below.
.l-main-section
:marked
# Table Of Contents
* [Reporting Vulnerabilities](#report-issues)
* [Best Practices](#best-practices)
* [Preventing Cross-Site Scripting (XSS)](#xss)
* [Trusting Safe Values](#bypass-security-apis)
* [HTTP-level Vulnerabilities](#http)
* [Auditing Angular Applications](#code-review)
Try the of the code shown in this chapter.
.l-main-section
h2#report-issues Reporting Vulnerabilities
:marked
Email us at [security@angular.io](mailto:security@angular.io) to report vulnerabilities in
Angular itself.
For further details on how Google handles security issues please refer to [Google's security
philosophy](https://www.google.com/about/appsecurity/).
.l-main-section
h2#best-practices Best Practices
:marked
* **Keep current with the latest Angular library releases.**
We regularly update our Angular libraries and these updates may fix security defects discovered in
previous version. Check the Angular [change
log](https://github.com/angular/angular/blob/master/CHANGELOG.md) for security-related updates.
* **Don't modify your copy of Angular.**
Private, customized versions of Angular tend to fall behind the current version and may neglect
important security fixes and enhancements. Instead, share your Angular improvements with the
community and make a pull request.
* **Avoid Angular APIs marked in the documentation as “[_Security Risk_](#bypass-security-apis)”.**
.l-main-section
h2#xss Preventing Cross-Site Scripting (XSS)
:marked
[Cross-Site Scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting) enables attackers
to inject malicious code into web pages. Such code can then, for example, steal user's data (in
particular their login data), or perform actions impersonating the user. This is one of the most
common attacks on the web.
To block XSS attacks, we must prevent malicious code from entering the DOM. For example, if an
attacker can trick us into inserting a `