Which is the way to secure app using spring boot and angular 8 without login?

Question

I want to secure the application which is using angular 8 and spring boot 5 but it is a free form and does not need login to access the UI. I have secured it using CSRF protection but any one can easily access POST endpoint by passing CSRF token in the request header which can be available from GET rest end point. So I need any good solution to implement security so that by spring rest end points should not be accessible other than angular pages in the project. Can anyone please help me.

Answer 1

In short, no.

You have ways of hiding requests by hitting endpoints that process your request, but since you start, consider you can't.

Let me explain further : JavaScript runs in the client's browser. It means the client has full access to your front-end code : if he wants, he can completely break down your application.

The plus side is that it can only be broken on his own computer : the client can't mess with another client's browser.

On the other side, your server can be accessed by anything, but you're the one that has master control on it : you should secure it.

To do that, as you said, you can use JWT. But JWT is an authentication process, which is basically an encoded string. By decoding it, you can get client information, but they aren't fetch from the DB, they are fetch from the token itself.

If you want to secure your endpoints, you could for instance state that only the user with the ID provided by the token can access your endpoint : tokens can't be forged without the signature. This would secure your endpoint and prevent other users from making modifications.

Consider making another question with the tags corresponding to your back end language, which will be way more helpful than asking for an Angular solution.

Answer 2

您是否考虑过将与浏览器 IP 相关的令牌的服务器端渲染嵌入到 Angular 中？