Dear support team,
Following security checks on an application developed with ABP Framework 8.3.3, the Penetration Test team responsible for verifying application compliance reported that the Angular application does not have proper handling of the AccessToken.
The token is also saved in local storage... a vulnerable location that is accessible if combined with an XSS attack. All access tokens should be set with secure attributes such as HttpOnly or SameSite to prevent them from being used by potentially injected JavaScript code.
We would like to know if it is possible to modify this configuration from Angular or understand where to make the override to be compliant with this policy. Thank you in advance.
2 Answer(s)
-
0
Storing access tokens in local storage is the default approach in ABP Angular applications, but it is not possible to set HttpOnly or SameSite attributes for tokens stored in browser storage from the Angular side. These attributes are only available for cookies set by the server, not for values stored in local or session storage.
To comply with security requirements such as HttpOnly and SameSite, you must switch from storing tokens in local storage to using secure cookies. This requires significant changes:
- Implement server-side authentication using cookies (e.g., OpenID Connect with cookie authentication).
- Configure your AuthServer to issue authentication cookies with the HttpOnly and SameSite attributes.
- Update your Angular app to use cookie-based authentication instead of storing tokens in local storage.
There is no built-in ABP Angular mechanism to store access tokens in HttpOnly cookies, as this is a limitation of browser JavaScript APIs. The only way to achieve this is to handle authentication entirely on the server and use cookies for session management.
No verified source available for this specific query.
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
Hello,
Thank you for your report.
The current behavior you observed is expected by default, ABP Framework’s Angular client stores the access token in localStorage. This is the default implementation of the Angular authentication package and is not configurable through the Angular UI layer at this time.
However, we’re aware that storing tokens in localStorage is not ideal for applications with strict security or compliance requirements. There is already an open issue to the improvement of token handling (for example, moving to an in-memory access token and an HttpOnly refresh token) to mitigate potential XSS risks.
For now, this behavior cannot be modified directly from Angular, but the topic is being tracked for future release. You can follow the related issue for updates and potential workarounds.
Related issue: https://github.com/abpframework/abp/issues/23930
Thanks
