Teach on Udemy

Turn what you know into an opportunity and reach millions around the world.

Learn More

Your cart is empty.

Keep shopping

Created byAngular University

Last updated 6/2026

English

What you'll learn

Code in Github repository with downloadable ZIP files per section
Get a solid foundation in Web Security Fundamentals
Perform the attacks yourself manually, in order to fully understand them
Understand and Defend an Application against common security attacks, such as Dictionary Attacks, Cross-Site Request Forgery, etc.
Understand JWT in-depth, including the multiple signature types
Design and Implement Application Authentication and Authorization from scratch
Know how to add Authentication to an Angular Application using JWTs (and traditional Server Sessions)
Know how to add RBAC (Role based Access control) Authorization to an Angular application

Course content

10 sections • 74 lectures • 7h 50m total length

Angular Security Course Helicopter View2:03
Defend an unsecured Angular and Node app by learning web security fundamentals with practical attacks and defenses in TypeScript backend, switching between black hat and white hat.
IMPORTANT0:18
The Typescript Jumpstart Ebook3:27
Installing Git, Node, NPM and Choosing an IDE4:17
Install Git, NodeJS, and NPM, use Git Bash for Windows, and manage branches. Then choose an IDE (WebStorm or VS Code) and set up lessons code to begin adding security.
Installing The Lessons Code - Learn Why Its Essential To Use NPM 56:05
Clone the angular security course repository from GitHub, switch to the origin signup branch, and run npm install to install dependencies from package.json, guaranteeing a consistent dependency tree.
How To Run Node In TypeScript With Hot Reloading3:57
Run node with TypeScript directly and hot reload via node mon, while the Angular dev server proxies /api requests to a secure https node server on port 9000.
Guided Tour Of The Sample Application6:00

Client Side Authentication Service - API Design4:53
Implement signup functionality by posting to the backend to create a user. Create an Angular authentication service to handle signup, login, logout, and a user observable.
Client Authentication Service - Design and Implementation9:14
Design and implement a reactive authentication service in Angular, exposing is logged in and is logged out observables to control top menu buttons via the async pipe and ng container.
The New Angular HTTP Client - Doing a POST Call To The Server6:08
Implement client-side signup with the new Angular HttpClient, post email and password to /api/signup, validate form data, and cache results with shareReplay while broadcasting user data.
User Sign Up Server-Side Implementation in Express8:50

Introduction To Cryptographic Hashes - A Running Demo5:46
Explore how cryptographic hashes protect passwords by hashing with sha 256 using node's crypto module, and why digests replace plain text in password storage.
Some Interesting Properties Of Hashing Functions - Validating Passwords6:31
Hashing functions irreversibly store passwords as hashes with no key, producing a consistent output for given input and verifying by hashing the entered password and comparing to the stored hash.
Learn Offline Dictionary Attacks - Why Use Cryptographic Salting?8:22
Password Key Derivation Functions and The Node Crypto Module5:30
Using the Argon 2 Hashing Function In Our Sign Up Backend Service8:09
Choose and implement Argon2 for password hashing in the sign-up backend, following OWASP guidance, and store a password digest with an internal salt while enforcing a password policy.
How To Implement a Password Policy5:08
Implement a password policy using a facade with the password validator. Validate passwords in the create user route, return errors to the signup screen, and create the user on success.
Displaying Client-Side Password Validation Errors - What's Next?6:30

Switch Branches And User Session Management Section Introduction6:42
Explore user session management, learn how a session ID replaces password on every http request, and implement a stateful login flow with in-memory sessions and secure session handling.
Node Util Promisify - How to Convert Callback Based APIs to Promise-based4:49
Convert callback-based node APIs to promise-based using util.promisify, creating a security.utils module and enabling async/await with crypto.randomBytes for maintainable, synchronous-feeling code.
Introduction To Node Async Await - Creating a User Session Id8:04
Use node async/await to write synchronous-looking code, generate a 32-byte session id with crypto random bytes, create user and session, hash passwords with argon2, and store the session in memory.
Modeling a User Session - Classes Or Interfaces?7:02
Model a user session as a TypeScript class with session id, user, and a moment.js based valid until timestamp, plus an is session valid method.
Browser Cookies - How To Use Them For User Session Management8:28
Explore how browser cookies manage user sessions by creating an in memory session store, issuing a session ID cookie, and linking requests to users via cookies.
Attack Scenario - User Identity Theft Attack Using A Third-Party Server5:09
Explore how cookies store session IDs, why attackers can steal them via cross-site scripting, and how to defend by making cookies inaccessible to JavaScript to prevent impersonation.
How To Better Protect The Session Id Using HTTP Only Cookies2:51
Learn to protect session IDs by marking cookies as HttpOnly, preventing JavaScript access while still sending cookies automatically with each request.
HTTPS Secure Cookies - Running the Angular CLI in HTTPS Mode5:21
Enable HttpOnly and secure cookie flags to protect session IDs from network attacks by running Angular CLI and API server over https with a self-signed certificate, and handle browser warnings.
Client-Side User Session Management - Retrieve User Data From Session10:42
Learn to load and broadcast authenticated user data from session at app startup, shield sensitive lessons data behind authentication, and eliminate user interface flicker by treating initial user as undefined.
An Ancient Vulnerability - JSON Hijacking, Securing REST Endpoint9:32
Secure the lessons endpoint by returning an object instead of an array, prevent json hijacking, and validate the user session to display data only for authenticated users.
Implementing Logout - Destroying The User Session7:55
Implement logout by posting to /api/logout to destroy the server-side session and clear the http only cookie, then propagate anonymous user data to update the UI.
User Login - Step-by-Step Implementation7:22
Implement the login flow: send http post to /api/login with email and password, verify password digest, create a user session, set cookies, and navigate to home.
Finish Login Functionality and Section Conclusion9:57
Conclude login functionality with a complete stateful session flow, validating passwords via Argon2 verify, setting a session cookie, and issuing a session ID stored in memory.

JSON Web Tokens - Section Introduction4:12
Learn how JSON web tokens enable a fully stateless server and support delegation to externalized, third-party authentication services. Discover how they replace pre-authentication in enterprise environments and enable single sign-on.
Creating Your First JWT - What Does It Look Like?2:14
Generate your first JSON web token with the JWT 256 script by signing a payload with a secret key, and see what a JWT looks like.
JSON Web Tokens In a Nutshell4:02
Explore JSON web tokens as an open standard for representing claims, with a three-part structure of header, payload, and signature, encoded in base64 for self-verification.
JSON Web Tokens In Detail - The Header and the Payload7:04
Discover the json web token format: header, payload, and signature; base64-encoded header and payload are not encrypted, and the signature enables authentication via a secret or 256 and RS 256.
JWT Signature With HS256 - How Does It Work? Learn What is an HMAC Code9:13
Learn how hs256 signs json web tokens with a secret key using hmac, enabling payload verification and self validating tokens. Contrast with rsa 256 and key exchange implications.
JWT Signature With RS256 - Learn The Advantages Compared to HS2568:24
Discover RS256 for JWTs and compare it to HS256, showing how public/private keys remove the need for a shared secret and enable secure token creation and verification.
Creating a JWT User Session - Setting Subject and Expiration3:17
Create a Json web token with a user subject and expiration, verify it with a public key, and implement RS-256 based user sessions in Angular security.

User Sign Up With JWT - Learn How To Combine Cookies and JWTs8:22
Explore stateless session management by signing Json web tokens with RSA keys, storing them in http only and secure cookies, and implementing a signed session token for user signup.
Server-Side User Identification Via a Custom Express Middleware9:18
User Retrieval Express Middleware - Error Handling With Async Await3:05
Finishing The Implementation Of User Identification Middleware5:47
Identify the user by extracting the id from the Json web token, fetch the user from the in-memory database, and return profile data or 204 when not found.
Backend JWT-based Security Using an Express Middleware6:40
Guard the data endpoint with an express middleware that checks a JWT and returns 403 for unauthenticated users. Apply route-specific checks so login routes remain open.
JWT-based Authentication - Section Conclusion and What's Next4:08

Understanding CSRF - Step-by-Step Attack Simulation9:34
Demonstrate csrf vulnerabilities by simulating a post request from a forged page. Learn how session cookies and attacker controlled links enable this attack and how to defend against it.
CSRF In Detail - Understanding Attack Limitations7:08
Explore the limitations of CSRF by showing how attackers can submit post forms but cannot access responses or use JSON payloads.
Implementing the CSRF Double Submit Cookie Defense - Server Implementation12:34
Implement the double submit cookie csrf defense by generating an unguessable token, storing it in a cookie, and requiring a matching x-csrf-token header with each request.
How To Defense Our Application Against CSRF - Client And Server Defenses9:01

Auth0 Section Introduction - Using JWTs to Delegate Authentication To 3rd Party5:25
Delegate authentication to a third party using json web tokens with auth0, removing cookies and csrf, and rewrite the angular app’s authentication service to rely on the external provider.
Integrating a 3rd Party Authentication Provider - Auth04:45
Create and configure an Auth0 account to enable authentication in an angular single-page application, including setting tenant, region, and obtaining client ID and domain for login and signup.
Setting Up an Auth0 Externally Hosted Login Page5:32
Set up an externally hosted login page using the of zero dash js library, configure a web of instance, and enable Google social login in the hosted modal.
How does Auth0 Authentication Work? Logging In a User5:39
Receiving The Auth0 JWT at Application Startup with parseHash5:33
Learn how to receive and parse the Auth0 Json web token at app startup using parseHash, extract id token and access token, and preserve them for authenticated requests without cookies.
Storing the Auth0 JWT In Local Storage4:52
Store the Auth0 id token in local storage via a set session method to persist across reloads, guard against null results, and enable interface updates based on authentication state.
Adapting the UI To the User Login Status7:56
Adapt the user interface by checking the local storage token expiration to show or hide login, sign up, and logout buttons based on whether the user is logged in.
Angular HTTP Interceptor - Build an Authentication Interceptor9:21
Implement an Angular HttpInterceptor that sends the JSON web token from local storage with each request as a bearer authorization header, and register it as a multi provider.
JWT Authentication with express-jwt and JSON Web Key Set - Backend Design7:13
Auth0 JWT-based Authentication - Backend Implementation10:12
Implement JWT-based authentication for an Express backend using Auth0, RS256, and the Json web key set, with key caching, rate limiting, and custom error handling.
User Sign Up -Requesting Permission to Use Users Email5:26
User Signup and User Preferences - Frontend Implementation5:18
Concludes frontend signup by calling a put /api/userinfo to save or fetch user preferences, emits them via a user observable, and fetches at startup when a valid token exists.
User Signup and User Profile - Server-Side Implementation6:03
Section Summary - The Main Benefit of JWTs4:02

RBAC Role-Based Authorization - Section Introduction5:04
Implement rbac in an angular application by enforcing authorization after authentication, using json web tokens, admin impersonation, and an administrator only menu to protect lessons data.
Setting Up The RBAC Solution - Adding Roles to our JWT6:53
Implement role-based access control with jwt by embedding user roles in the token payload; enable admin and student permissions, including admin impersonation and access to specific screens and backend services.
Angular RBAC Authorization - Solution Overview4:06
Provide a quick RBAC solution overview, outlining front-end impersonation with login as user, admin and student routes, and back-end security via express middleware to check authorization and CSRF protection.
Backend Express Authorization Route - Design Overview5:38
Design a backend express authorization route for login as user. Implement check if authorized middleware with role-based access, including student and admin roles, using the underscore partial method.
Backend Express Authorization Route - Implementation and Demo5:36
Implement an express backend authorization route that reads user roles from the jwt payload and compares them to allowed roles using lodash intersection, returning 403 when unauthorized.
The Admin Login As User Backend Service6:10
Implement the login as user backend service to return a json web token for the impersonated user and set a http-only session cookie, enabling frontend role-based authorization.
UI RBAC Authorization With The rbacAllow Structural Directive5:47
Enable UI level authorization by building a custom structural directive airbag allow to show admin elements only, hiding the admin menu from students via a roles array and authentication service.
The rbacAllow Structural Directive - Final Implementation and Demo9:57
Implement the rbacAllow structural directive to show elements when user roles intersect with allowed roles. Subscribe to the user observable, render views, and unsubscribe on destroy to prevent leaks.
Authorization Router Guard - Initial Implementation6:50
Implement an authorization guard using canActivate to protect routes by evaluating user roles from the authentication service, returning an observable boolean and redirecting unauthorized users to the home route.
Authorization Router Guard Completed - Configuring a Factory Provider8:29

Requirements

Just some previous knowledge of Angular and Typescript

Description

The course is an Web Application Security Fundamentals Course, where the application will use the Angular/Node stack.

All the server code is in Typescript, but the security concepts explained in it are applicable to other technology stacks.

This course includes an auxiliary Ebook - The Typescript Jumpstart Ebook

We will use several MIT licensed Angular and Node packages from Auth0 (that you could use in your application), and we will also include a demo of how to use Auth0 for doing Application User Management.

Its important to realize that this is NOT an Auth0 specific course. Auth0 will be the source of a couple of open source packages we will use, and will be doing a quick demo of it to show how JWT makes it simple to delegate authentication to a third-party system, which could be developed in-house as well.

Security - A Fundamental Step in a Software Development Career

Security is probably the number one advanced topic that Software Developers are expected to master when going forward in their software development careers.

Security knowledge is hard to come by but its essential for advancing to more senior software development positions, like for example Application Architect or similar.

Learning Web Security Fundamentals, knowing how to design an application for security, and knowing how to recognize and fix security issues is an essential skill for a senior developer.

But the problem is that security knowledge is orthogonal to most other topics and it typically takes years to learn.

The good news is that once you have it, Security knowledge has a much longer shelf live than most software development knowledge in general.

Most of the vulnerabilities and fixes that you will learn in this course were useful 10 years ago, and will (very likely) still be useful 10 years from now - Angular and Node are just an example of one stack, to make the course examples more practical.

Security is seen as something really hard to master - this is actually not the case! Application Security is much more approachable than you might think, depending on how you learn it.

What Is The Best Way To Learn Security in a Fun and Practical Way?

Here is what we will do: we are going to take the skeleton of a running application that has no security yet, and we are going to secure the application step-by-step.

Using a couple of MIT packages from Auth0 (that you would be able to use in any project), we are going to implement the Sign-Up and Login functionality from scratch, and because security cannot be enforced only at the client-side, we will implement both the frontend in Angular and the backend in Node.

As we secure the application, and we are going to periodically attack the application many times during the course, to prove that the vulnerabilities are real!!

By doing so, we will learn along the way the fundamentals of Authentication and Authorization, we will become familiar with common vulnerabilities like Dictionary Attacks, CSRF and others, and we will get familiar with commonly used cryptographic tools like Hashing, Salting, JWT, password storage recommendations and more.

Please don't be intimidated by these concepts: The focus in this course will not be on the internals of each of the cryptographic tools that we will use, but instead on understanding on a high-level what problems do these tools solve, when to use each and why.

We will also learn how to design our application for security, and we will learn how in many situations application design is ou best defense.

Course Overview

We will start at the beginning: we will see the proper way of doing User Management and Sign Up: we will learn how to store passwords in a database, and we will introduce cryptographic hashes in an approachable way.

Once we have the Sign-Up functionality in place, we will implement Login and understand the need for a temporary identity token. Our first implementation will be stateful login, where the token is kept at the server level.

And at this point we could think we have authentication in place, but we decide to prepare our application for scalability, so we decide to try a JWT (JSON Web Tokens) based approach, because we know that this is what services like Firebase and Auth0 use.

We will use a couple of Auth0 packages to quickly refactor our Login to be JWT based, and learn the advantages of using JWT, and some potential disadvantages as well.

We will then see how its also possible to do Authentication using a third-party JWT-based service like Auth0, effectively removing all authentication logic from both our codebase and our database, and delegating it to a third-party service.

Note that this Auth0-specific part is only a small part of the course, and its main goal is to show how its possible at an enterprise level to delegate authentication to a centralized service, whithout having to introduce direct communication between applications and the centralized authentication service.

This means that if you can't use Auth0 at your company, you can apply the same design principles and design a JWT-solution that delegates authentication to a centralized server behind the firewall.

We will then cover how to do UI-level role-based functionality in Angular using the Angular Router, and a custom directive for showing or hiding certain parts of the UI depending on the role of the user. We will learn why the Router cannot enforce actual security.

We will also talk about server-side Authorization, and we will implement a commonly needed security-related Admin Level functionality: The Login As User service, that allows an admin to login as any user, to investigate a problem report. We can see why we would need to secure this functionality!

At the end of all these vulnerabilities and security fixes, we will have a well secured application and we will have learned a ton of security-related concepts along the way in a fun and practical way!

What Will you Learn In this Course?

With this course, you will have a rock-solid foundation on Web Application Security Fundamentals, and you will have gained the practical experience of applying those concepts by defending an application from a series of security attacks. You will have done so by actually performing many of the attacks!

You will have learned these concepts in the context of an Angular/Node application, but these concepts are applicable to any other technology stack.

You will learn what built-in mechanisms does Angular provide to defend against security problems, and what vulnerabilities it does NOT defend against and why.

You will be familiar with best practices for password storage, custom authentication service design and implementation, you will know the essentials about cryptographic hashes, be familiar with JWT and several commonly used open source Auth0 packages.

You will be familiar with the following security vulnerabilities: Dictionary attacks, identity token highjacking techniques, the browser same-origin policy, how to combine cookies with JWTs and why, Cross--Site Request Forgery or CSRF, common design vulnerabilities, and more.

You will know common practical solutions for securing both enterprise and public internet applications, such as how to use JWT to delegate authentication to a centralized service, which could be Auth0 or a in-house developed service that follows similar principles.

You will know how to implement UI-level authorization and use client-side constructs like Router guards to implement it and even build your own authorization-related UI directives.

You will also learn about server side authorization, and how to implement a commonly needed backend service that is only accessible to Admins - Login As User.

What Will You Be Able to do at the End Of This Course?

This course could help you take your development career to a more senior level, where the knowledge about web application security is essential and a key differentiating factor.

If you are a private internet business owner or thinking of launching your own platform, this course will contain most of what you need in practice to secure your own online platform in a robust and effective way.

With this course, you will have the knowledge necessary for evaluating many third-party security-related solutions, and you will know where to look for vulnerabilities in your application.

You will be able to understand most application-level vulnerability reports that come out of security audits done by third party companies, and you will be able to understand and fix the most commonly reported problems.

Who this course is for:

Angular Developers looking to learn in-depth Web Application Security in the specific context of an Angular Application

What you'll learn

Explore related topics

Course content

Introduction7 lectures • 26min

Sign Up Service - Initial Client and Server-Side Implementation4 lectures • 29min

Password Storage - Hashing and Salting7 lectures • 46min

User Session Management13 lectures • 1hr 34min

Introduction To JSON Web Tokens7 lectures • 38min

JWT In Practice - Step-by-Step Authentication With JSON Web Tokens6 lectures • 37min

CSRF - Cross Site Request Forgery4 lectures • 38min

JWT-based Authentication With Auth014 lectures • 1hr 27min

RBAC Role-Based Authorization10 lectures • 1hr 5min

Conclusion2 lectures • 10min

Requirements

Description

Who this course is for: