03.03 | 9 – 5 PM (CET) | Online
Workshop
Angular Security
Teach your team how to block XSS and CSRF attacks, and implement OAuth 2.0 correctly rather than just crossing your fingers and relying on the framework’s default settings.
Is it for you?
Finding reliable security advice for Angular is hard. We move beyond theory with a mix of hands-on labs, real-world demos, and deep-dive discussions. You’ll explore how Angular handles security out of the box and, more importantly, how to avoid the common mistakes that bypass those protections. From secure data storage to modern OAuth 2.0/2.1 flows, you get immediately applicable advice tailored to your own application’s architecture.
Takeaways
Understand the SPA security landscape
Learn how browser security fundamentals - same-origin policy, HTTPS, CORS - apply to Angular apps. Understand the difference between authentication and authorization, and why SPAs require a different security mindset than traditional server-rendered apps.
Stop XSS, CSRF and injection attacks
Know exactly what Angular sanitizes for you - and where it doesn't. Understand security contexts for HTML, URLs and styles, when bypassSecurityTrust* creates real risk, and how CSRF works with both cookie and token-based auth.
Learn from real Angular security advisories
Study documented vulnerabilities in Angular itself - including XSS bypasses in the template compiler's sanitization schema - and in ecosystem libraries. Understand how they were introduced, how Angular patched them, and why keeping dependencies current is a security decision.
OAuth 2.0 and OpenID Connect correctly
Move beyond ad-hoc session handling to modern token flows. Understand Authorization Code + PKCE for SPAs, token storage trade-offs, and the Backend-for-Frontend (BFF) pattern that closes the most critical security gaps.
Content Security Policy and Trusted Types
Go beyond sanitization with defence-in-depth at the browser level. Learn to configure a strict CSP for Angular with nonce-based scripts, avoid common policy mistakes, and use Trusted Types to prevent entire classes of DOM-based attacks.
Automate security into your CI/CD pipeline
Build a security net that runs on every commit. Use automated dependency vulnerability scanning (npm audit, Snyk, Socket.dev) and establish an update workflow so your team never unknowingly ships known vulnerabilities to production.
Agenda
Check out what we will be discussing at the workshop!
Duration: 8 hours.
SPA security foundations (1h 30min)
- Browser security model – same-origin policy, CORS, HTTPS and why they matter specifically for SPAs
- Authentication vs. authorisation – mental models, roles, route guards and HTTP interceptors in Angular
- Cookies, sessions and tokens – HttpOnly, Secure, SameSite attributes; when to use what; common pitfalls
- Key web security risks for Angular apps – mapping the most relevant OWASP risks to frontend and Angular-specific patterns
XSS, CSRF and Angular's defences (2h)
- How Angular prevents XSS – sanitization, security contexts, interpolation vs. innerHTML vs. bypassSecurityTrust*
- XSS pitfalls developers create – unsafe use of DomSanitizer, template injection risks, SSR-specific attack surface
- CSRF mechanics and mitigations – how the attack works, SameSite cookies, Angular HttpClient’s built-in XSRF support
- Other injection risks – open redirects, HTML injection in dynamic content, what Angular does and doesn’t protect you from
OAuth 2.0, OIDC and session management (2h)
- Auth flows for SPAs – Authorization Code + PKCE, why older flows were deprecated, common mistakes in implementation
- Secure token storage – localStorage vs. memory vs. HttpOnly cookies; what each approach protects against and what it doesn’t
- Backend-for-Frontend (BFF) pattern – why it’s the recommended architecture for secure Angular apps and how to apply it
- Token lifecycle – refresh token rotation, silent renew, session expiry, logout and token revocation
CSP and Trusted Types (1h)
- Content Security Policy for Angular – nonce-based scripts, deploying CSP without breaking your app, common misconfigurations
- Trusted Types – enforcing safe DOM sinks, integrating with Angular’s DomSanitizer, what it protects against
- Security headers awareness – which headers protect your Angular app, how to verify they’re set correctly, and who on the team is responsible
Angular vulnerabilities and supply chain (1h)
- Real Angular security advisories – documented XSS vulnerabilities in Angular’s template compiler and ecosystem libraries; how they were discovered and fixed
- Third-party npm risk – how vulnerable transitive dependencies affect your app, evaluating library trustworthiness, lock file discipline
- Staying current – reading Angular security advisories, automated update strategies with ng update, understanding end-of-life risks
Security automation and CI/CD (30min)
- Dependency vulnerability scanning – automated tooling (npm audit, Snyk, Socket.dev); integrating checks into your CI pipeline
- Static code analysis – using linting rules and automated tooling to catch security-sensitive patterns before they reach production
- Building a security checklist – pre-deployment checks, making security part of your team’s definition of done
Benefits
Hands-On Exercises
Work on real, practical tasks so you don’t just hear about modern Angular, you actually use it right away.
Q&A Session
Get clear answers to your questions during a dedicated Q&A a chance to clarify concepts and dive deeper into real-world use cases.
Small Group
Maximum of 15 participants, you’ll benefit from more interaction and personalized support.
Certificate of participation
Simple way to show your updated Angular skills to your team, clients, or future employers.
Are you interested?
Are you interested?
Your Trainer
Mateusz Stefańczyk
Google Developer Expert
For 9 years, Mateusz has been developing web applications with Angular. He has performed dozens of audits for Angular projects worldwide. Mateusz actively participates in the angular.love community, writing expert articles, and sharing his knowledge at Angular meetups in Poland, Norway, Germany, and the UK.
What developers say about our workshops?
I highly recommend Modern Angular Workshops.
Mateusz deep knowledge makes it really beneficial.
Workshops helped me take my signal skills to another level and I hope that I will have opportunity to participate once again.
– Jakub
I thoroughly enjoyed attending the two-day workshop. The trainers were very friendly and approachable, making the learning experience engaging and supportive. Even after the workshop, they remain available to help with any questions, which I truly appreciate.
After the trainings, you will have a clear understanding of how to improve your projects with the latest Angular features.
– Sofia
What I appreciated most about Mateusz’s Signal Forms workshop was that he went beyond the basics and tackled real-world use cases — you could tell he really knows what he’s talking about. Fanis did a great job moderating the Scalable Architecture & Modern Reactivity session, bringing years of hands-on Angular expertise to the table. I walked away with ideas I’m already putting into practice.
– Steffen
Attending the camps for the Scalable architecture & Modern Reactivity Workshop along with the Signal Forms Workshop.
First session delivered by Fanis was amazing, from the first slide he showed his passion in the topic and the in depth knowledge that he has in it. I was quite sceptic about NX setup but his slides and practical sessions helped to understand it better and see the benefits that it comes with and how much easier the codebase becomes with NX.
Sessions on Signal forms by Mateusz made me push harder for Angular 21 upgrade at my work. The delivery was exceptional; simple and lab sessions covered each topic in real depth. The labs were easy to follow, expanded on the slides and helped to understand the new features well.
Overall both days were really good in terms of content, delivery and passing on the knowledge of the experts onto participants. Each session was adjusted to the audience in terms of pace, there was always time to ask questions and during practical sessions both speakers had all the time to fix any issues that were raised by us.
– Rafał
Get your tickets
Join us for an online Modern Angular workshop. Secure your spot today!
Signal Forms
Start at 9AM (CET) • Duration 8h
Date: 03.03
300 EUR
- Full-day workshop access
- Hands-on sessions with mentor
- Certificate of Participation
- Q&A Session
2- Days Workshop
Start at 9AM (CET) • 2x (online)
699 -> 449 EUR
4 spots left with promo price!
Dates:
Architecture: 02.03
Signal Forms: 03.03
-
Benefits from Architecture
+ Signal Forms included
Why us?
Projects worldwide
USA, Germany, UK,
Norway, Belgium
Angular experts
Who have coded in Angular
since its release
Years of experience
Building enterprise-scale
web applications
Bring This Workshop to Your Team!
Want to upskill your entire dev team? This Angular workshop is also available as a private in-house or remote session, fully adapted to your team’s needs, codebase, and experience level.
FAQ
Who is this Angular workshop for?
For developers who have been working with Angular but haven’t had time to catch up with the latest changes.
Also ideal for those early in their Angular journey (up to ~1 year) who want to understand modern patterns, architecture, and tooling.
Will the workshop be recorded and available for later access?
No, the workshop will be live only. There will be no recordings available afterwards.
In what language will the workshop be conducted?
The workshop will be conducted in English.
Is there any certification or proof of participation?
Yes, every participant will receive a certificate of participation after completing the workshop.
Do I need to install anything before the workshop?
No installation is required. All coding exercises will be done in-browser using StackBlitz.