1

My Angular (Version 5) app is secured with a JWT Token and AuthGuards. In theory a user is able to manipulate form data with Chromes Developer Tools before the aggregated form values are sent to the server. Are there nowadays new good practices to prevent this on client side and therefore I can assume that the data sent over with https to the server can be trusted ?

This Question addresses the problem: A server side session in combination with validation is recommended there. But in a Restful Architecture there is no session anymore and we can´t prevent all combinations of manipulation attempts by using validations on server side. Therefore I am looking for a convenient client side solution, that makes it uncomfortable for the normal user to manipulate with developer tools. Also I know that there can´t be 100% trustful Client implementation. But complicating the manipulation attempts would be nice trade-off.

Dirk Lammers
  • 756
  • 6
  • 8
  • 1
    Creating a hash over the data to submit would complicate data manipulation a bit since you would also have to create the hash for the manipulated data. – Dormilich Dec 13 '17 at 12:01
  • You don't have to prevent all combinations of manipulation attempts. Just check if the given combination makes sense and if the user is allowed to do this operation. Then do it. – Oliver Dec 13 '17 at 12:03
  • 100% trustful client is not practically achievable. – Zlatko Dec 13 '17 at 12:23

1 Answers1

0

Consider creating HttpClient interceptors (see https://angular.io/guide/http), which will be automatically invoked for each HTTP request (including the ones initiated by forms). In those interceptors, you can implement some business logic to ensure that the data was not being manipulated by the user.

Yakov Fain
  • 11,972
  • 5
  • 33
  • 38
  • This would still allow the request to be modified, _after_ the interceptor has been ran. – Zlatko Dec 13 '17 at 12:22
  • Using the Http-Interceptor approach in conjunction with the suggestion of https://stackoverflow.com/users/332419/dormilich to create hashes would definitely make it more complicate for the user to manipulate, what I asked for. Therefore thanks to Yakov and Dormilich. I´ll try this pattern. – Dirk Lammers Dec 13 '17 at 12:29