Authentication and Authorization with Angular 2+
In this tutorial, I'll show you how you can secure your Angular 2+ application. Please, take a look at my previous post ( Authorization and Authentication with AngularJS + Jersey) for the backend implementation. 1. Authentication mechanism We use JWT (JSON Web Token) authentication mechanism in our application. We have decided to store our JWT in a cookie with HttpOnly (prevent XSS attacks) and Secure (sent over HTTPS only). In order to prevent CSRF attack we'll use the double submit cookie . This pattern is defined as sending a random value in both a cookie and as a request header. When a user authenticates to our application via the login page, the API responds with 2 cookies: A cookie (XSRF-TOKEN) set with a strong random value with Secure flag only. We will instruct Angular HttpClient to read this value and set it as an HTTP header (X-XSRF-TOKEN) for each subsequent request. Since only JavaScript that runs on your domain can read the cookie, your server c