I don't know if this security hole is even possible or I am just being paranoid after a spicy dinner.

In a typical Angular app, there are any number of unknown npm packages pulled in transitively. I wonder if some dodgy npm package could take my application data and whisk it off to some server without my knowledge.

It is trivial to bypass the HTTP_INTERCEPTORS so they are not much help as a security guard.

Is the only hard solution to use Windows firewall rules on the PC where the browser/app will be run?

CodePudding user response：

Yes, you are right to be worried about this matter. Indeed there are many npm packages that may contain dangerous code. In general I suggest you to use only the "very well known packages". There are software that can help you with, like "bytesafe". Here is a more detailed article on how it works https://bytesafe.dev/posts/npm-security-issues-2021/ (no marketing intended). If you don't intend to use such software, than you should always check for your packages by using: npm audit (example: npm audit –audit-level=critical) and update the packages accordingly or use npm audit fix.

I saw you are talking about "Windows firewall rules". The server where your site sit may be Linux or any other kind of OS. There is an entire universe about servers security and security architectures. Depends a lot if you are in the cloud or on-premise for example. So there are security best practices for each approach and you should follow those according your context.