> angular-security
Harden Angular apps against XSS, CSP violations, and unauthorized access. Use when implementing XSS protection, Content Security Policy, or auth guards in Angular. (triggers: DomSanitizer, innerHTML, bypassSecurityTrust, CSP, angular security, route guard)
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/angular-security?format=md"Security
Priority: P0 (CRITICAL)
Principles
- XSS Prevention: Angular sanitizes interpolated values by default — {{ userInput }} is safe. Do NOT use
innerHTMLunless absolutely necessary (e.g., trusted static CMS content). For user-generated content, display as text with {{ content }} — never as HTML. - Bypass Security: Only bypass security for content you control (e.g., trusted CMS headers). Never call bypassSecurityTrustHtml on user-provided data. Use DomSanitizer.sanitize(SecurityContext.HTML, content) instead of bypass functions. Audit every bypassSecurityTrust* call as a potential XSS vector.
- Route Guards: Protect all sensitive routes with a functional CanActivateFn (e.g., inject(Router).createUrlTree(['/login'])). Apply with canActivate: [authGuard].
Guidelines
- CSP: Configure CSP headers on the server (not in Angular source). Use nonce-based CSP with script-src 'nonce-{nonce}' and avoid unsafe-inline/unsafe-eval.
- HTTP: Use Interceptors to attach secure tokens. Use HttpOnly cookies managed by the server — not localStorage or sessionStorage because they are accessible via XSS.
- Secrets: Never store API keys or secrets in Angular source code or bundle.
Anti-Patterns
- No bypassSecurityTrust: Trust Angular's sanitization; bypass only for verified static content.
- No localStorage for tokens: Use HttpOnly cookies via interceptors for auth tokens.
- No secrets in source: Never embed API keys or secrets in Angular bundle code.
References
- Security Best Practices
- common/security-standards
> related_skills --same-repo
> common-store-changelog
Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve
> golang-tooling
Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)
> common-ui-design
Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)
> common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)