Angular Security

Security gets more and more important as applications and their user base grow, especially in the current age of more and more attacks. As soon as you have a public accessible domain, you can observe botnets e.g. searching for a /wp-admin/setup-config.php or other malicious practices (from what I observed ...).

A good resource to learn more about security is the Open Worldwide Application Security Project (OWASP) and the current OWASP Cheat Sheet Series. Here we will concentrate on client side security mainly, but also will look into server side rendering security on the surface.

Possible attack vectors

First we want to understand, how attackers can exploit our applications. Client side attacks are mainly focused on cross site scripting (XSS) and cross site request forgery (CSRF). These attacks exploit vulnerabilities in the browser and can be used to steal data from the user. This data data can be everything from a session token, a password, cookies or privacy critical information like IP addresses or bank credentials.

XSS can circumvent the same-origin policy and therefore be used to access sensitive data secured by CSRF protection. It is still important for a web application, which relies on cookie authentication, to protect against both types of attacks.

Outside of your code, also third party code can be malicious, so keeping all dependencies up to date and altering with third party implementations as little as possible is a good practice. For more information about dependencies look into Software Bill of Materials (SBOM) tools like CycloneDX from the OWASP project.

Cross Site Scripting

XSS tries to execute malicious code in a victim's browser. This can be done in many ways, mostly by e.g. saving some data in a cookie or by injecting a script tag into a page. This is done by finding e.g. a saved form data or other user input, which is saved and later injected and executed in a victims browser.

This can be dangerous, because it allows an attacker to impersonate the victim and steal sensitive data or perform other malicious actions on the users behalf. The attacker can also inject malicious code into the victim's browser, which can lead to other attacks like Clickjacking.

Reflected / Stored / DOM based XSS

In general we can divide XSS attacks into three categories: Reflected, Stored and DOM based. All XSS attacks are executed in the browser, but where the attack stores the data makes the differnce:

Stored XSS: The script is permanently saved on the server (e.g., in a database).

sequenceDiagram
    actor Attacker1 as Attacker
    participant Server1 as Server
    participant Database1 as Database
    participant VictimBrowser1 as Victim's Browser
    actor Victim1 as Victim

    Attacker1->>Server1: POST request with malicious script
    Server1->>Database1: Saves script
    Database1-->>Server1: Confirmation
    Server1->>Attacker1: Success Response

    Note over Server1, VictimBrowser1: Time passes...

    Victim1->>VictimBrowser1: Navigates to the vulnerable page
    VictimBrowser1->>Server1: GET request for the page
    Server1->>Database1: Retrieves page content, including stored malicious script
    Database1-->>Server1: Page content with malicious script
    Server1->>VictimBrowser1: Sends page content including malicious script in HTML
    VictimBrowser1->>Victim1: Executes malicious script

Reflected XSS: The script is sent to the server (e.g., in a URL) and immediately reflected back to the user without being stored.

sequenceDiagram
    actor Attacker2 as Attacker
    participant AttackerMail2 as Attacker's Email/Chat
    actor Victim2 as Victim
    participant VictimBrowser2 as Victim's Browser
    participant Server2 as Server

    Attacker2->>AttackerMail2: Crafts malicious link with script payload
    AttackerMail2->>Victim2: Sends phishing email/message with malicious link

    Victim2->>VictimBrowser2: Clicks the malicious link
    VictimBrowser2->>Server2: GET request with malicious script in URL parameter
    Server2->>VictimBrowser2: Reflects malicious script directly in HTML response
    VictimBrowser2->>Victim2: Executes malicious script

DOM-based XSS: The script is never sent to the server. It's executed entirely in the client's browser (the DOM) as a result of insecure client-side code.

sequenceDiagram
    actor Attacker3 as Attacker
    participant AttackerMail3 as Attacker's Email/Chat
    actor Victim3 as Victim
    participant VictimBrowser3 as Victim's Browser
    participant Server3 as Server
    participant ClientSideJS

    Attacker3->>AttackerMail3: Crafts malicious link with script payload in URL fragment
    AttackerMail3->>Victim3: Sends phishing email/message with malicious link

    Victim3->>VictimBrowser3: Clicks the malicious link
    VictimBrowser3->>Server3: GET request for the vulnerable page (URL fragment is NOT sent to server)
    Server3->>VictimBrowser3: Sends legitimate HTML and vulnerable Client-Side JavaScript
    VictimBrowser3->>ClientSideJS: Page loads, Client-Side JavaScript starts execution
    ClientSideJS->>VictimBrowser3: Reads malicious payload from URL fragment (window.location.hash)
    ClientSideJS->>VictimBrowser3: Insecurely writes payload into the DOM
    VictimBrowser3->>Victim3: Executes malicious script inserted into DOM

How to prevent XSS attacks in general

The most common way to defend against it is to escape/ encode all user input before saving it to a database or other storage and sanitize all user input before displaying it to other users. Most common frontend framweworks like Angular or React already provide a built-in XSS protection.

sequenceDiagram
    actor Attacker
    participant WebServer
    participant Database
    actor Victim
    participant VictimBrowser

    autonumber

    %% --- Part 1: Input & Sanitization (Write Phase) ---
    Attacker->>WebServer: POST request with malicious payload (e.g., O'Malley<script>alert(1)</script>)

    activate WebServer
    Note over WebServer: == 1. Input Sanitization (On Write) ==
    WebServer->>WebServer: Sanitizer Library filters input. <br/> Removes dangerous tags like <script>.
    Note over WebServer: Sanitized Data: "O'Malleyalert(1)"

    WebServer->>Database: Stores **sanitized** data
    Database-->>WebServer: Confirmation
    deactivate WebServer

    Note over Attacker, VictimBrowser: ... Time passes ...

    Victim->>VictimBrowser: Navigates to page
    VictimBrowser->>WebServer: GET request for page content

    activate WebServer
    WebServer->>Database: Retrieve data
    Database-->>WebServer: Returns **sanitized** data ("O'Malleyalert(1)")

    Note over WebServer: == 2. Output Encoding (On Read) ==
    WebServer->>WebServer: Encoder Library escapes data for HTML context. <br/> Converts ' to '
    Note over WebServer: Encoded Data: "O'Malleyalert(1)"

    WebServer->>VictimBrowser: Sends HTML with **encoded & sanitized** data
    deactivate WebServer

    VictimBrowser->>Victim: Renders "O'Malleyalert(1)" as plain text. <br/> (Script does not run!)
    VictimBrowser--x Attacker: XSS Attack Prevented

Sanitizing and Encoding / Escaping

Sometimes the difference between sanitizing and encoding / escaping is not quite clear - so here a short summary:

Sanitizing: Removes dangerous tags and attributes from user input. E.g. removes <script> tags. You can think of it like a bouncer at a club - it decides which tags and attributes are allowed to be used in the HTML and filters all others out.
Escaping is a specific form of encoding that converts characters to their HTML/XML equivalents. E.g. < becomes <. This is necessary to prevent XSS attacks, because < is a valid character in HTML and can be used to inject scripts.

Of course you normally should try not to interpret user data at all in html, but sometime you might need to do so. E.g. if you want to display a user's email address in a <a> tag. In this case you need to encode the email address to prevent XSS attacks.

Another common case for wanting some html be rendered from user input are rich text editors. In this case you need to sanitize the input before rendering it to only allow certain tags and attributes important for the rich text editor, but nothing else. This can be especially tricky with external loaded sources like images or other binaries. Even a style attribute can load background images, so we have to mitigate that, while allowing certain interactivity.

XSS prevention in Angular

Angulars default way is to trat values as untrusted, but you still have to look out for some pitfalls. You can mark values as trusted, but this should only happen if you are sure that the value is safe (already sanitized/ escaped). Also when manipulating the DOM e.g. with the Renderer2 or document directly you have to be aware of the security implications. The DomSanitizer is the inbuilt Angular service to sanitize and escape values client side.

To systematically block XSS bugs, Angular treats all values as untrusted by default. When a value is inserted into the DOM from a template binding, or interpolation, Angular sanitizes and escapes untrusted values. If a value was already sanitized outside of Angular and is considered safe, communicate this to Angular by marking the value as trusted.
From Angular Docs

Angulars default model prevents xss, so something like this wouldn't work:

  
import { Component } from '@angular/core';

@Component({
  selector: 'app-default-safe',
  template: `
    <h3>1. Angular's Default (Safe)</h3>
    <p>The attack is automatically removed:</p>
    <div [innerHTML]="htmlContent"></div>
  `
})
export class DefaultSafeComponent {
    // This is the dangerous string we want to display
    htmlContent = `This is <b>bold</b> text. <img src=x onerror="alert('XSS Attack!')">`;
    // The 'onerror' will be stripped. Only 'This is <b>bold</b> text. <img src=x>' will render.
}

But this can be circumvented by using the DomSanitizer service:

  
import { Component } from '@angular/core';
import { DomSanitizer, SafeHtml } from '@angular/platform-browser';

@Component({
  selector: 'app-unsafe',
  template: `
    <h3>1. Angular's Bypassed (Unsafe)</h3>
    <p>The attack is executed:</p>
    <div [innerHTML]="htmlContent"></div>
  `
})
export class DefaultSafeComponent {
    private readonly _sanitizer = inject(DomSanitizer);
    // This is the dangerous string we want to trust
    htmlContent: TrustedHtml = this._sanitizer.bypassSecurityTrustHtml(
      `This is <b>bold</b> text. <img src=x onerror="alert('XSS Attack!')">`
    );
}

Normally we don't want to use the bypassSecurityTrustHtml function without making sure the content is sanitized - so in the example of rich text, where we need sanitize rules, to circumvent some angular default sanitization, we rely on libraries like DomPurify:

  
import { Component } from '@angular/core';
import { DomSanitizer, SafeHtml } from '@angular/platform-browser';
import * as DOMPurify from 'dompurify'; // Import the library

@Component({
  selector: 'app-unsafe',
  template: `
    <h3>1. Angular's Bypassed (Unsafe)</h3>
    <p>The attack is executed:</p>
    <div [innerHTML]="htmlContent"></div>
  `
})
export class DefaultSafeComponent {
    private readonly _sanitizer = inject(DomSanitizer);
    // This is the dangerous string we want to trust, after sanitized by DOMPurify
    htmlContent: TrustedHtml = this._sanitizer.bypassSecurityTrustHtml(
      DOMPurify.sanitize(
        `This is <b>bold</b> text. <img src=x onerror="alert('XSS Attack!')">`
      )
    );
}

In other cases you need to build simple DOM structures, this can be done XSS safe when using the Renderer2. It allows you to define elements, add attributes and text and the append the nodes to the DOM. Make sure to put user content only inside of the createText function, or sanitize the content beforehand.

  
// component.ts
import { Component, Renderer2, ElementRef, viewChild, effect } from '@angular/core';

@Component({
    selector: 'app-renderer-safe',
    template: `
      <h3>3. The Programmatic Way (Very Safe)</h3>
      <p>HTML tags are rendered as text, or elements are built safely:</p>
      <div #target></div>
    `
})
export class RendererSafeComponent {
    private readonly _renderer = inject(Renderer2);
    readonly target = viewChild('target');

    constructor() {
      effect(() => {
        const target = this.target().nativeElement;
        if (target) {
          const p = this.renderer.createElement('p');
          const text1 = this.renderer.createText('This is ');
          const b = this.renderer.createElement('b');
          const boldText = this.renderer.createText('safe');
          const text2 = this.renderer.createText(' text. No XSS possible.');

          // Build the structure: <p>This is <b>safe</b> text...</p>
          this.renderer.appendChild(b, boldText);
          this.renderer.appendChild(p, text1);
          this.renderer.appendChild(p, b);
          this.renderer.appendChild(p, text2);

          // Add it to the DOM
          this.renderer.appendChild(target, p);
        }
      });
    }
}

Cross Site Request Forgery

A Cross-Site Request Forgery (CSRF) attack occurs when a malicious web site, email, blog, instant message, or program tricks an authenticated user's web browser into performing an unwanted action on a trusted site. If a target user is authenticated to the site, unprotected target sites cannot distinguish between legitimate authorized requests and forged authenticated requests.
From OWASP Cheat Sheet Series

The main mitigation strategies for CSRF are Same Origin Policy, CSRF Tokens and a secure authentication mechanism.

Authentication

State of the art authentication requires some kind of Single Sign On (SSO) method to be used. This prevents the application from accessing authentication critical information from the browser at any step - only the authentication server should be able to verify the user's identity.

sequenceDiagram
    autonumber
    participant U as User
    participant B as Browser (User Agent)
    participant SP as Client App (Backend)
    participant IdP as Identity Provider (Auth Server)

    Note over U, IdP: Phase 1: Initiation & Redirection
    U->>B: Visits Protected Page (/dashboard)
    B->>SP: GET /dashboard
    Note right of B: No Session Cookie found
    SP-->>B: 302 Redirect to IdP
    Note right of B: Params: client_id, redirect_uri,
response_type=code, state=XYZ,
code_challenge (PKCE)

    B->>IdP: GET /authorize?...params...

    Note over U, IdP: Phase 2: Authentication
    IdP->>U: Prompt for Credentials
    U->>IdP: Enters Username/Password
    IdP->>IdP: Validates Credentials
    IdP-->>B: 302 Redirect to App Callback
    Note right of B: Params: code=AUTH_CODE, state=XYZ

    Note over U, IdP: Phase 3: Token Exchange (Back Channel)
    B->>SP: GET /callback?code=AUTH_CODE&state=XYZ
    SP->>SP: Verify 'state' matches (Anti-CSRF)

    SP->>IdP: POST /token
    Note right of SP: Payload: code, client_secret, code_verifier (PKCE)
    IdP->>IdP: Validate code & verifier
    IdP-->>SP: 200 OK (Access Token, ID Token)

    Note over U, IdP: Phase 4: Secure Session Establishment
    SP->>SP: Validate ID Token Signature
    SP->>SP: Create Local Session
    SP-->>B: 302 Redirect to /dashboard
    Note right of B: Set-Cookie: session_id=abc, HttpOnly, Secure, SameSite=Lax

    Note over U, IdP: Phase 5: Authenticated Access
    B->>SP: GET /dashboard
    Note right of B: Cookie: session_id=abc
    SP->>SP: Lookup Session -> Retrieve Access Token
    SP-->>B: Return Protected Content

The anti-CSRF mechanism is to validate the state parameter in the redirect from the IdP. Also setting a SameSite=Lax, HttpOnly, Secure on the session cookie prevents CSRF attacks from cross-site subrequests. Aim is to not save the token or refresh token anywhere in the browser, where an attacker might be able to access it and prevent interfering with the sign in process though cryptographic mechanisms.

Cookies

I already mentioned the Cookie attributes SameSite, HttpOnly and Secure in the authentication section. Here I want to explain the settings and their impact on the CSRF protection:

SameSite - Defined weather the cookie should be sent with cross-site requests.
- Lax - Allows cookies to be sent with cross-site subrequests, but only for same-site requests or cross site requests under following conditions:
  - The request is a top level navigation, this excludes requests made e.g. with fetch() or XMLHttpRequest or requests from sub resources like images, stylesheets or scripts. Included would be requests made by interactions of the user, e.g. clicking a link or submitting a form.
  - The request uses a safe method, e.g. GET or HEAD.
- Strict - Does not allow the cookie to be sent with cross-site subrequests.
- None - Disables the SameSite restriction.
HttpOnly - Prevents client-side JavaScript from accessing the cookie, e.g. via the document.cookie API. A Cookie created with this attribute will still be sent with requests made with JavaScript initiated requests, e.g. fetch() or XMLHttpRequest.send()
Secure - Indicates that the cookie is sent to the server only when a request is made with the https: scheme (except on localhost), and therefore, is more resistant to man-in-the-middle attacks.
Max-Age - Indicates the number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately. If both Expires and Max-Age are set, Max-Age has precedence.

Read the MDN Set-Cookie Reference for more on cookie attributes.

Headers

Http headers are one of the most important security mechanisms, because they allow the server to set boundaries for their clients, in which they have to operate. This is especially important for CSRF attacks, but alos helps against man-in-the-middle attacks, cross-site scripting (XSS) and many others.

Header	Description
Security
`Content-Security-Policy (CSP)`	Controls resources the user agent is allowed to load for a given page based on their URI. You can control different sources. Fetch Directives `default-src` Fallback for the other `fetch directives` `child-src` Defines the valid sources for web workers and nested browsing contexts loaded using elements such as `<frame>` and `<iframe>`. `connect-src` Restricts the URLs which can be loaded using script interfaces. `font-src` Specifies valid sources for fonts loaded using `@font-face`. `frame-src` Specifies valid sources for nested browsing contexts loaded into elements such as `<frame>` and `<iframe>`. `img-src` Specifies valid sources of images and favicons. `manifest-src` Specifies valid sources of application manifest files. `media-src` Specifies valid sources for loading media using the `<audio>`, `<video>` and `<track>` elements. `object-src` Specifies valid sources for the `<object>` and `<embed>` elements. `script-src` Specifies valid sources for JavaScript and WebAssembly resources. Fallback for `script-src-elem` and `script-src-attr`. `script-src-elem` Specifies valid sources for JavaScript `<script<` elements. `script-src-attr` Specifies valid sources for JavaScript inline event handlers. `style-src` Specifies valid sources for stylesheets. Fallback for `style-src-elem` and `style-src-attr`. `style-src-elem` Specifies valid sources for stylesheets `<style>` elements and `<link>` elements with `rel="stylesheet"`. `style-src-attr` Specifies valid sources for inline styles applied to individual DOM elements. `worker-src` Specifies valid sources for `Worker` , `SharedWorker`, or `ServiceWorker` scripts. Document Directives `base-uri` Restricts the URLs which can be used in a document's `<base>` element. `sandbox` Enables a sandbox for the requested resource similar to the `<iframe>sandbox` attribute. Navigation Directives `form-action` Restricts the URLs which can be used as the target of a form submissions from a given context. `frame-ancestors` Specifies valid parents that may embed a page using `<frame>`, `<iframe>`, `<object>`, or `<embed>`. Reporting Directives `report-to` Provides the browser with a token identifying the reporting endpoint or group of endpoints to send CSP violation information to. The endpoints that the token represents are provided through other HTTP headers, such as `Reporting-Endpoints` and `Report-To` Other Directives `require-trusted-types-for` Enforces `Trusted Types` at the DOM XSS injection sinks. `trusted-types` Used to specify an allowlist of `Trusted Types` policies. Trusted Types allows applications to lock down DOM XSS injection sinks to only accept non-spoofable, typed values in place of strings. `upgrade-insecure-requests` Instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for websites with large numbers of insecure legacy URLs that need to be rewritten. Values for this directives can be one of the following: `none` Indicating that the specific resource type should be completely blocked `'nonce-<nonce-value>'` This value consists of the string nonce- followed by a nonce value. The nonce value may use any of the characters from Base64 or URL-safe Base64. This string is a random value that the server generates for every HTTP response. For example: `'nonce-416d1177-4d12-4e3b-b7c9-f6c409789fb8'` The server can then include the same value as the value of the `nonce` attribute of any `<script>` or `<style>` resources that they intend to load from the document. The browser compares the value from the CSP directive against the value in the element attribute, and loads the resource only if they match. If a directive contains a nonce and `unsafe-inline`, then the browser ignores `unsafe-inline`. See Nonces in the CSP guide for more usage information. `'<hash_algorithm>-<hash_value>'` This value consists of a string identifying a hash algorithm, followed by -, followed by a hash value. The hash value may use any of the characters from Base64 or URL-safe Base64. The hash algorithm identifier must be one of `sha256`, `sha384`, or `sha512` The hash value is the base64-encoded hash of a `<script>` or `<style>` resource, calculated using one of the following hash functions: `SHA-256`, `SHA-384`, or `SHA-512` For example: `'sha256-cd9827ad...'` When the browser receives the document, it hashes the contents of any `<script>` and `<style>` elements, compares the result with any hashes in the CSP directive, and loads the resource only if there is a match. If the element loads an external resource (for example, using the `src` attribute), then the element must also have the `integrity` attribute set. `<host-source>` The URL or IP address of a host that is a valid source for the resource. The scheme, port number, and path are optional. If the scheme is omitted, the scheme of the document's origin is used. `http://example.com http://*.example.com example.com/api/` `<scheme-source>` A scheme, such as `https:`. The colon is required. Secure upgrades are allowed, so: `http:` will also permit resources loaded using HTTPS `ws:` will also permit resources loaded using WSS. `'self'` Resources of the given type may only be loaded from the same origin as the document. `'trusted-types-eval'` By default, if a CSP contains a `default-src` or a `script-src` directive, then JavaScript functions which evaluate their arguments as JavaScript are disabled. This includes `eval()` , the `code` argument to `setTimeout()` , or the `Function()` constructor. The `trusted-types-eval` keyword can be used to undo this protection, but only when Trusted Types are enforced and passed to these functions instead of strings. This allows dynamic evaluation of strings as JavaScript, but only after inputs have been passed through a transformation function before it is injected, which has the chance to sanitize the input to remove potentially dangerous markup. Note: Developers should avoid using `trusted-types-eval` or these methods unless absolutely necessary. Trusted types ensure that the input passes through a transformation function — they don't ensure that the transformation makes the input safe (and this can be very hard to get right). `'unsafe-eval'` By default, if a CSP contains a default-src or a script-src directive, then JavaScript functions which evaluate their arguments as JavaScript are disabled. This includes eval(), the code argument to setTimeout(), or the Function() constructor. The unsafe-eval keyword can be used to undo this protection, allowing dynamic evaluation of strings as JavaScript. Warning: Developers should avoid `'unsafe-eval'`, because it defeats much of the purpose of having a CSP. `'trusted-types-eval'` provides a "potentially" safer alternative if using these methods is necessary. `'wasm-unsafe-inline'` By default, if a CSP contains a `default-src` or a `script-src` directive, then a page won't be allowed to compile WebAssembly using functions like `WebAssembly.compileStreaming()`. The `wasm-unsafe-eval` keyword can be used to undo this protection. This is a much safer alternative to `'unsafe-eval'`, since it does not enable general evaluation of JavaScript. `'unsafe-inline'` By default, if a CSP contains a `default-src` or a `script-src` directive, then inline JavaScript is not allowed to execute. This includes: inline <script> tags inline event handler attributes `javascript:` URLs. Similarly, if a CSP contains `default-src` or a `style-src` directive, then inline CSS will not be loaded, including: inline <style> tags `style` attributes. The `unsafe-inline` keyword can be used to undo this protection, allowing all these forms to be loaded. Warning: Developers should avoid `'unsafe-inline'`, because it defeats much of the purpose of having a CSP. `'unsafe-hashes'` By default, if a CSP contains a default-src or a script-src directive, then inline event handler attributes like onclick and inline style attributes are not allowed to execute. The 'unsafe-hashes' expression allows the browser to use hash expressions for inline event handlers and style attributes. Warning: The `'unsafe-hashes'` value is unsafe. `'inline-speculation-rules'` By default, if a CSP contains a `default-src` or a `script-src` directive, then inline JavaScript is not allowed to execute. The `'inline-speculation-rules'` allows the browser to load inline `<script>` elements that have a `type` attribute of `speculationrules`. See the Speculation Rules API for more information. `'strict-dynamic'` The `'strict-dynamic'` keyword makes the trust conferred on a script by a `nonce` or a `hash` extend to scripts that this script dynamically loads, for example by creating new `<script>` tags using `Document.createElement()` and then inserting them into the document using `Node.appendChild()`. `'report-sample'` If this expression is included in a directive controlling scripts or styles, and the directive causes the browser to block any inline scripts, inline styles, or event handler attributes, then the violation report that the browser generates will contain a `sample` property containing the first 40 characters of the blocked resource.
`Content-Security-Policy-Report-Only`	Allows web developers to experiment with policies by monitoring, but not enforcing, their effects. These violation reports consist of `JSON` documents sent via an HTTP `POST` request to the specified URI.
`Cross-Origin-Embedder-Policy (COEP)`	Allows a server to declare an embedder policy for a given document. `unsafe-none` Allows the document to load cross-origin resources without giving explicit permission through the CORS protocol or the `Cross-Origin-Resource-Policy` header. This is the default value. `require-corp` A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin. Cross-origin resource loading will be blocked by COEP unless: The resource is requested in no-cors mode and the response includes a `Cross-Origin-Resource-Policy` header that allows it to be loaded into the document origin. The resource is requested in cors mode and the resource supports and is permitted by CORS. This can be done, for example, in HTML using the `crossorigin` attribute, or in JavaScript by making a request with `{mode="cors"}`. `credentialless` A document can load cross-origin resources that are requested in `no-cors` mode without an explicit permission via the `Cross-Origin-Resource-Policy` header. In this case requests are sent without credentials: cookies are omitted in the request, and ignored in the response. The cross-origin loading behavior for other request modes is the same as for require-corp. For example, a cross-origin resource requested in `cors` mode must support (and be permitted by) CORS.
`Cross-Origin-Opener-Policy (COOP)`	Allows a website to control whether a new top-level document, opened using `Window.open()` or by navigating to a new page, is opened in the same browsing context group (BCG) or in a new browsing context group. When opened in a new BCG, any references between the new document and its opener are severed, and the new document may be process-isolated from its opener. This ensures that potential attackers can't open your documents with `Window.open()` and then use the returned value to access its global object, and thereby prevents a set of cross-origin attacks referred to as XS-Leaks. `unsafe-none` The document permits sharing its browsing context group with any other document, and may therefore be unsafe. It is used to opt-out a document from using COOP for process isolation. This is the default value. On navigations, documents with `unsafe-none` will always open and be opened into a new BCG — unless the other document also has `unsafe-none` (or no COOP directive value). Using `Window.open()`, documents with `unsafe-none` will always open documents with any other value into a new BCG. However documents with unsafe-none can be opened in the same BCG if the opener has the directive same-origin-allow-popups, `noopener-allow-popups`, or `unsafe-none`. A document with same-origin will always open a document with `unsafe-none` in a new BCG. `same-origin-allow-popups` The document permits loading into BCGs that use COOP and contain only same-origin documents. This is used to provide `cross-origin isolation` for a BCG. Documents with `same-origin` will only open and be opened in the same BCG if both documents are `same-origin` and have the `same-origin` directive. `same-origin` This is similar to `same-origin` directive, except that it allows the opening of documents using `Window.open()` in the same BCG if they have a COOP value of unsafe-none. The directive is used to relax the same-origin restriction for integrations where a document needs the benefits of cross-origin isolation but also needs to open and retain a reference to trusted cross-origin documents. For example, when using a cross-origin service for OAuth or payments. A document with this directive can open a document in the same BCG using Window.open() if it has a COOP value of unsafe-none. In this case it does not matter if the opened document is cross-site or same-site. Otherwise documents with same-origin-allow-popups will only open and be opened in the same BCG if both documents are same-origin and have the same-origin-allow-popups directive. `noopener-allow-popups` Documents with this directive are always opened into a new BCG, except when opened by navigating from a document that also has `noopener-allow-popups`. It is used to support cases where there is a need to process-isolate same-origin documents. This severs the connections between the new document and its opener, isolating the browsing context for the current document regardless of the opener document's origin. This ensures that the opener can't run scripts in opened documents and vice versa — even if they are same-origin. On navigations, a document with this directive will always open other documents in a new BCG unless they are same-origin and have the directive `noopener-allow-popups`. Using `Window.open()`, a document with this directive will open documents in a new BCG unless they have `unsafe-none`, and in this case it does not matter if they are same-site or cross-site.
`Cross-Origin-Resource-Policy (CORP)`	Prevents other domains from reading the response of the resources to which this header is applied. See also CORP explainer article.
`Permissions-Policy`	Provides a mechanism to allow and deny the use of browser features in a website's own frame, and in `<iframe>`s that it embeds. `<directive>=<allowList>` `accelerometer` (Experimental) Controls whether the current document is allowed to gather information about the acceleration of the device through the `Accelerometer` interface. `ambient-light-sensor` (Experimental) Controls whether the current document is allowed to gather information about the amount of light in the environment around the device through the `AmbientLightSensor` interface. `attribution-reporting` (Experimental) Controls whether the current document is allowed to use the Attribution Reporting API. `autoplay` (Experimental) Controls whether the current `document` is allowed to autoplay media requested through the `HTMLMediaElement` interface. When this policy is disabled and there were no user gestures, the `Promise` returned by `HTMLMediaElement.play()` will reject with a `NotAllowedError` `DOMException` . The autoplay attribute on `<audio>` and `<video>` elements will be ignored. `bluetooth` (Experimental) Controls whether the use of the Web Bluetooth API is allowed. When this policy is disabled, the methods of the `Bluetooth` object returned by `Navigator.bluetooth` will either return `false` or reject the returned `Promise` with a `SecurityError` `DOMException`. `camera` (Experimental) Controls whether the current document is allowed to use video input devices. The `Promise` returned by `getUserMedia()` will reject with a `NotAllowedErrorDOMException` if the permission is not allowed. `captured-surface-control` (Experimental) Controls whether or not the `document` is permitted to use the Captured Surface Control API. The `Promise` returned by the API's main methods will reject with a `NotAllowedErrorDOMException` if the permission is not allowed. `compute-pressure` (Experimental) Controls access to the Compute Pressure API. `cross-origin-isolated` (Experimental) Controls whether the current document can be treated as cross-origin isolated. `deferred-fetch` (Experimental) Controls the allocation of the top-level origin's `fetchLater()` quota. `deferred-fetch-minimal` (Experimental) Controls the allocation of the shared cross-origin subframe `fetchLater()` quota. `display-capture` (Experimental) Controls whether or not the current document is permitted to use the `getDisplayMedia()` method to capture screen contents. When this policy is disabled, the promise returned by `getDisplayMedia()` will reject with a `NotAllowedErrorDOMException` if permission is not obtained to capture the display's contents. `encrypted-media` (Experimental) Controls whether the current document is allowed to use the Encrypted Media Extensions API (EME). When this policy is disabled, the Promise returned by `Navigator.requestMediaKeySystemAccess()` will reject with a `SecurityErrorDOMException`. `fullscreen` (Experimental) Controls whether the current document is allowed to use `Element.requestFullscreen()`. When this policy is disabled, the returned `Promise` rejects with a `TypeError` . `gamepad` (Experimental) Controls whether the current document is allowed to use the `Gamepad API`. When this policy is disabled, calls to `Navigator.getGamepads()` will throw a `SecurityErrorDOMException`, and the `gamepadconnected` and `gamepaddisconnected` events will not fire. `geolocation` (Experimental) Controls whether the current document is allowed to use the `Geolocation` Interface. When this policy is disabled, calls to `getCurrentPosition()` and `watchPosition()` will cause those functions' callbacks to be invoked with a `GeolocationPositionError` code of `PERMISSION_DENIED`. `gyroscope` (Experimental) Controls whether the current document is allowed to gather information about the orientation of the device through the `Gyroscope` interface. `hid` (Experimental) Controls whether the current document is allowed to use the WebHID API to connect to uncommon or exotic human interface devices such as alternative keyboards or gamepads. `identity-credentials-get` (Experimental) Controls whether the current document is allowed to use the Federated Credential Management API (FedCM). `idle-detection` (Experimental) Controls whether the current document is allowed to use the Idle Detection API to detect when users are interacting with their devices, for example to report "available"/"away" status in chat applications. `language-detector` (Experimental) Controls access to the language detection functionality of the Translator and Language Detector APIs. `local-fonts` (Experimental) Controls whether the current document is allowed to gather data on the user's locally-installed fonts via the `Window.queryLocalFonts()` method (see also the Local Font Access API). `magnetometer` (Experimental) Controls whether the current document is allowed to gather information about the orientation of the device through the `Magnetometer` interface. `microphone` (Experimental) Controls whether the current document is allowed to use audio input devices. When this policy is disabled, the `Promise` returned by `MediaDevices.getUserMedia()` will reject with a `NotAllowedErrorDOMException`. `midi` (Experimental) Controls whether the current document is allowed to use the Web MIDI API. When this policy is disabled, the `Promise` returned by `Navigator.requestMIDIAccess()` will reject with a `SecurityError` `DOMException`. `otp-credentials` (Experimental) Controls whether the current document is allowed to use the WebOTP API to request a one-time password (OTP) from a specially-formatted SMS message sent by the app's server, i.e., via `navigator.credentials.get({otp: ..., ...})`. `payment` (Experimental) Controls whether the current document is allowed to use the Payment Request API. When this policy is enabled, the `PaymentRequest()` constructor will throw a `SecurityErrorDOMException`. `picture-in-picture` (Experimental) Controls whether the current document is allowed to play a video in a Picture-in-Picture mode via the corresponding API. `publickey-credentials-create` (Experimental) Controls whether the current document is allowed to use the Web Authentication API to create new asymmetric key credentials, i.e., via `navigator.credentials.create({publicKey: ..., ...})`. `publickey-credentials-get` (Experimental) Controls whether the current document is allowed to use the Web Authentication API to retrieve already stored public-key credentials, i.e., via `navigator.credentials.get({publicKey: ..., ...})`. `screen-wake-lock` (Experimental) Controls whether the current document is allowed to use Screen Wake Lock API to indicate that device should not turn off or dim the screen. `serial` (Experimental) Controls whether the current document is allowed to use the Web Serial API to communicate with serial devices, either directly connected via a serial port, or via USB or Bluetooth devices emulating a serial port. `speaker-selection` (Experimental) Controls whether the current document is allowed to use the Audio Output Devices API to list and select speakers. `storage-access` (Experimental) Controls whether a document loaded in a third-party context (i.e., embedded in an `<iframe>`) is allowed to use the Storage Access API to request access to unpartitioned cookies. `translator` (Experimental) Controls access to the translation functionality of the Translator and Language Detector APIs. `summarizer` (Experimental) Controls access to the Summarizer API. `usb` (Experimental) Controls whether the current document is allowed to use the WebUSB API. `web-share` (Experimental) Controls whether or not the current document is allowed to use the `Navigator.share()` of Web Share API to share text, links, images, and other content to arbitrary destinations of user's choice, e.g., mobile apps. `window-management` (Experimental) Controls whether or not the current document is allowed to use the Window Management API to manage windows on multiple displays. `xr-spatial-tracking` (Experimental) Controls whether or not the current document is allowed to use the WebXR Device API to interact with a WebXR session. `*` The feature will be allowed in this document, and all nested browsing contexts (<iframe>s) regardless of their origin. `()`[empty allow list] The feature is disabled in top-level and nested browsing contexts. The equivalent for `<iframe>` allow attributes is `'none'`. `self` The feature will be allowed in this document, and in all nested browsing contexts (`<iframe>`s) in the same origin only. The feature is not allowed in cross-origin documents in nested browsing contexts. `self` can be considered shorthand for `https://your-site.example.com`. The equivalent for `<iframe>` allow attributes is `self`. `src` The feature will be allowed in this `<iframe>`, as long as the document loaded into it comes from the same origin as the URL in its src attribute. This value is only used in the `<iframe>` allow attribute, and is the default allowlist value in `<iframe>`s. `"<origin>"` The feature is allowed for specific origins (for example, `"https://a.example.com"`). Origins should be separated by spaces. Note that origins in `<iframe>` allow attributes are not quoted.
`Strict-Transport-Security (HSTS)`	Force communication using HTTPS instead of HTTP (redirect) `max-age=<expire-time>` The time, in seconds, that the browser should remember that a host is only to be accessed using HTTPS. `includeSubDomains` (Optional) If this directive is specified, the HSTS policy applies to all subdomains of the host's domain as well. `preload` (Optional) [Non-standard] See Preloading Strict Transport Security for details. When using `preload`, the `max-age` directive must be at least `31536000` (1 year), and the `includeSubDomains` directive must be present. Examples: `Strict-Transport-Security: max-age=<expire-time> Strict-Transport-Security: max-age=<expire-time>; includeSubDomains Strict-Transport-Security: max-age=<expire-time>; includeSubDomains; preload`
`Upgrade-Insecure-Requests`	Sends a signal to the server expressing the client's preference for an encrypted and authenticated response, and that it can successfully handle the `upgrade-insecure-requests` directive. Example: `Upgrade-Insecure-Requests: 1 Upgrade-Insecure-Requests: 0`
`X-Content-Type-Options`	Disables MIME sniffing and forces browser to use the type given in `Content-Type`. The value can be `no-sniff`
`X-Frame-Options (XFO)`	Indicates whether a browser should be allowed to render a page in a `<frame>`, `<iframe>`, `<embed>` or `<object>`.
`X-Permitted-Cross-Domain-Policies`	A cross-domain policy file may grant clients, such as Adobe Acrobat or Apache Flex (among others), permission to handle data across domains that would otherwise be restricted due to the Same-Origin Policy. The `X-Permitted-Cross-Domain-Policies` header overrides such policy files so that clients still block unwanted requests.
`X-Powered-By`	May be set by hosting environments or other frameworks and contains information about them while not providing any usefulness to the application or its visitors. Unset this header to avoid exposing potential vulnerabilities.
`X-XSS-Protection`	Enables cross-site scripting filtering.

Angular Specifics

In Angular we, for strict csp settings, have to differentiate between build targets (static / server) and if we want to render on the client or on the server.

Hash based solution

In static build applications (all pages pre-rendered) we have to option for auto csp. This is done by setting angular.json build.options.security

  
"architect": {
  "build": {
    "builder": "@angular/build:application",
    "options": {
      "outputMode": "static",
      "security": {
        "autoCsp": true
      }
    },
  }
}

The autoCsp option generates sha checksums for every resource while building (instead of a nonce based solution). This requires all resource loaded over a directive be known at build time. For some pages this is possible, for most usecases this may be hard to realize. For this cases you can use the nonce based solution.

Nonce based solution

In server and client side rendered applications (not static / prerendered), we can if we don't know all resources at build time, use a nonce based solution. In this case we have to supply a nonce per request (to an index.html). The nonce must be unique for every request.

In SSR / SSG applications we have to set the nonce manually. This can be done by using the ngCspNonce directive or providing the CSP_NONCE.
What of both is possible depends on the application. The nonce has to change for every request, so in case of dynamically rendered content we have to normally replace a nonce-placeholder with the actual nonce while rendering. This can be done by a angular SSR node instance or e.g. an NGinx proxy.