Hi! I'm

Federico Calò

Software Developer | Technical Writer

I create modern web applications and custom digital tools to help businesses grow through technological innovation. My passion is combining computer science and economics to generate real value.

Contact Me

About Me

My passion for computer science was born at the Technical Commercial Institute of Maglie, where I discovered the power of programming and the fascination of creating digital solutions. From the start, I understood that computer science was not just code, but an extraordinary tool for turning ideas into reality.

During my studies in Business Information Systems, I began to interweave computer science and economics, understanding how technology can be the engine of growth for any business. This vision accompanied me to the University of Bari, where I obtained my degree in Computer Science, deepening my technical skills and passion for software development.

Today I put this experience at the service of businesses, professionals and startups, creating tailor-made digital solutions that automate processes, optimize resources and open new business opportunities. Because true innovation begins when technology meets the real needs of people.

My Skills

Data Analysis & Predictive Models

I transform data into strategic insights with in-depth analysis and predictive models for informed decisions

Process Automation

I create custom tools that automate repetitive operations and free up time for value-added activities

Custom Systems

I develop tailor-made software systems, from platform integrations to customized dashboards

const federico = {
  nome: "Federico Calò",
  ruolo: "Sviluppatore Software",
  città: "Bari, Italia",
  missione: "Aiutare attraverso l'informatica",
  passioni: [
    "Codice Pulito",
    "Innovazione",
    "Crescita Continua"
  ]
};

La Mia Missione

Credo fermamente che l'informatica sia lo strumento più potente per trasformare le idee in realtà e migliorare la vita delle persone.

Democratizzare la Tecnologia

La mia missione è rendere l'informatica accessibile a tutti: dalle piccole imprese locali alle startup innovative, fino ai professionisti che vogliono digitalizzare la propria attività. Ogni realtà merita di sfruttare le potenzialità del digitale.

Unire Informatica ed Economia

Non è solo questione di scrivere codice: è capire come la tecnologia possa generare valore reale. Intrecciando competenze informatiche e visione economica, aiuto le attività a crescere, ottimizzare processi e raggiungere nuovi traguardi di efficienza e redditività.

Creare Soluzioni su Misura

Ogni attività è unica, e così devono esserlo le soluzioni. Sviluppo strumenti personalizzati che rispondono alle esigenze specifiche di ciascun cliente, automatizzando processi ripetitivi e liberando tempo per ciò che conta davvero: far crescere il business.

Trasforma la Tua Attività con la Tecnologia

Che tu gestisca un negozio, uno studio professionale o un'azienda, posso aiutarti a sfruttare le potenzialità dell'informatica per lavorare meglio, più velocemente e in modo più intelligente.

Parliamone Insieme →

Join the Community

Join the developer community where we discuss software, AI, architecture and DevOps. Share ideas, ask questions and grow with us.

Channel

FC Dev Blog

Get notifications on new articles, complete series, weekly tips and featured tools. Bilingual IT/EN content directly in your Telegram.

New articles as they are published
Weekly tips and code snippets
Polls on future topics

Subscribe to Channel

Group

FC Dev Community

A bilingual IT/EN community for developers. Discussions, Q&A, mutual help and networking with other professionals.

Discussions on articles and technologies
Coding help and code review
Job opportunities and collaboration

Join the Group

Discussion Topics

View

Master SQL

RoadMap.sh

November 2024

View

Oracle Certified Foundations Associate

Oracle

October 2024

View

People Leadership Credential

Connect

September 2024

💻 Languages & Technologies

Java

Python

JavaScript

Angular

React

TypeScript

SQL

PHP

CSS/SCSS

Node.js

Docker

Git

💼

12/2024 - Present

Custom Software Engineering Analyst

Accenture

Bari, Puglia, Italy · Hybrid Analysis and development of computer systems through the use of Java and Quarkus in Health and Public Sector. Continuous training on modern technologies for creating customized and efficient software solutions and on agents.

💼

06/2022 - 12/2024

Software analyst and Back End Developer Associate Consultant

Links Management and Technology SpA

Experience analyzing as-is software systems and ETL flows using PowerCenter. Completed Spring Boot training for developing modern and scalable backend applications. Backend developer specialized in Spring Boot, with experience in database design, analysis, development and testing of assigned tasks.

💼

02/2021 - 10/2021

Software programmer

Adesso.it (prima era WebScience srl)

Experience in AS-IS and TO-BE analysis, SEO evolutions and website evolutions to improve user performance and engagement.

🎓

2018 - 2025

Degree in Computer Science

University of Bari Aldo Moro

Bachelor's degree in Computer Science, focusing on software engineering, algorithms, and modern development practices.

📚

2013 - 2018

Diploma - Corporate Information Systems

Technical Commercial Institute of Maglie

Technical diploma specializing in Business Information Systems, combining IT knowledge with business management.

Contattami

Hai un progetto in mente? Parliamone! Compila il form qui sotto e ti risponderò al più presto.

* Campi obbligatori. I tuoi dati saranno utilizzati solo per rispondere alla tua richiesta.

OWASP Top 10 2025: The Complete Developer Guide

Every line of code we ship carries an implicit obligation: safeguarding user data and trust. In 2025, as applications grow more complex, architectures become distributed, and AI-assisted coding tools become mainstream, security can no longer be an afterthought. The OWASP Top 10 2025 is the definitive, updated reference of the ten most critical web application vulnerabilities, and every developer building for the web needs to understand it.

This guide walks through all ten categories of the new list, with particular emphasis on the two brand-new categories introduced in 2025: Software Supply Chain Failures (A03) and Mishandling of Exceptional Conditions (A10). For each vulnerability you will find clear explanations, vulnerable and secure code samples in TypeScript/Node.js, and Angular-specific best practices.

What You Will Learn

All 10 OWASP 2025 categories, including the 2 new entries
Key differences from the 2021 edition
Vulnerable code examples with their secure counterparts
How to protect your npm dependency supply chain
Why 45% of AI-generated code fails security tests
An Angular-specific checklist to harden your applications

What is OWASP and How the Top 10 is Built

The Open Worldwide Application Security Project (OWASP) is a non-profit foundation established in 2001 with a single mission: improving software security globally. Its most well-known deliverable is the OWASP Top 10, a consensus document listing the ten most critical web application vulnerabilities, refreshed periodically using real-world data contributed by hundreds of organizations.

The list is compiled by analyzing millions of applications and hundreds of thousands of vulnerabilities. The methodology blends empirical data (actual incidents, security reports, automated scanning results) with a community survey that captures security practitioners' concerns about emerging threats. Each category maps to one or more CWE (Common Weakness Enumeration) entries, the standardized taxonomy for software weaknesses.

A Brief History

The OWASP Top 10 has gone through several editions: 2004, 2007, 2010, 2013, 2017, 2021, and now 2025. Each update mirrors the evolving threat landscape. In 2017 Injection sat at the top; by 2021 Broken Access Control overtook it. The 2025 edition brings the most significant structural changes yet, introducing two entirely new categories that reflect the modern realities of software development.

What Changed in the OWASP Top 10 2025

The 2025 edition introduces substantial reshuffling and two new entries. Here is the complete list with changes from 2021:

Position	OWASP 2025	Change from 2021
A01	Broken Access Control	Remains at #1 (was A01:2021). Now absorbs SSRF
A02	Security Misconfiguration	Jumps from #5 to #2
A03	Software Supply Chain Failures	NEW - expands A06:2021 (Vulnerable Components)
A04	Cryptographic Failures	Drops from #2 to #4
A05	Injection	Drops from #3 to #5
A06	Insecure Design	Drops from #4 to #6
A07	Authentication Failures	Holds at #7
A08	Software or Data Integrity Failures	Holds at #8
A09	Security Logging and Alerting Failures	Holds at #9 (renamed: "Alerting" replaces "Monitoring")
A10	Mishandling of Exceptional Conditions	NEW - replaces SSRF (now folded into A01)

The Two Key Changes

A03: Software Supply Chain Failures - Supply chain attacks have surged in recent years. This category was overwhelmingly voted the top concern in the OWASP community survey. It covers typosquatting, dependency confusion, malicious packages, and CI/CD pipeline compromise.

A10: Mishandling of Exceptional Conditions - Improper error and exception handling is now recognized as a standalone attack vector. It includes 24 CWEs covering inadequate error handling, fail-open behavior, and sensitive information leakage through error messages.

A01:2025 - Broken Access Control

Broken Access Control holds firm at position number one for the fourth consecutive year. It occurs when users can access resources or perform actions beyond their intended permissions. The most common manifestations include: IDOR (Insecure Direct Object Reference), path traversal, role-based control bypasses, and token or URL parameter manipulation.

In 2025 this category absorbs SSRF (Server-Side Request Forgery), which held position A10 in the 2021 edition. The rationale is that SSRF is fundamentally an access control failure: the server executes requests to resources it should not be able to reach.

Example: IDOR (Insecure Direct Object Reference)

Vulnerable vs secure API - User data access

// VULNERABLE: no ownership check
app.get('/api/users/:id/profile', async (req, res) => {
  // Anyone can view any user's profile by changing the ID
  const user = await User.findById(req.params.id);
  res.json(user);
});

// SECURE: verify ownership + role
app.get('/api/users/:id/profile', authenticate, async (req, res) => {
  if (req.user.id !== req.params.id && req.user.role !== 'admin') {
    return res.status(403).json({ error: 'Unauthorized access' });
  }
  const user = await User.findById(req.params.id);
  if (!user) {
    return res.status(404).json({ error: 'User not found' });
  }
  res.json(user);
});

Example: Path Traversal

Preventing path traversal in file downloads

import path from 'path';

// VULNERABLE: user controls the file path
app.get('/api/files/:filename', (req, res) => {
  // An attacker can request: ../../../etc/passwd
  res.sendFile(`/uploads/#123;req.params.filename}`);
});

// SECURE: normalize and validate the path
const UPLOAD_DIR = '/var/www/uploads';

app.get('/api/files/:filename', authenticate, (req, res) => {
  const filename = path.basename(req.params.filename);
  const filePath = path.join(UPLOAD_DIR, filename);

  // Verify the resolved path stays within UPLOAD_DIR
  if (!filePath.startsWith(UPLOAD_DIR)) {
    return res.status(400).json({ error: 'Invalid path' });
  }

  res.sendFile(filePath);
});

      Angular Defenses for Broken Access Control
      Implement Route Guards (canActivate, canMatch) to protect restricted routes
Use an HTTP Interceptor to attach the JWT token to every outbound request automatically
Hide UI elements based on permissions, but always validate server-side
Never store roles or permissions in localStorage without backend verification
Centralize authorization logic in a reusable AuthService

    

A02:2025 - Security Misconfiguration

Security Misconfiguration jumps from position #5 to #2 in 2025. This rise reflects a measurable trend: as the configuration surface grows (cloud, containers, microservices, CDN), misconfiguration errors have become one of the most frequent breach causes.

This category covers: unchanged default configurations, missing HTTP security headers, overly permissive CORS policies, stack traces exposed in production, unnecessary ports and services left open, and debug features left active in production environments.

Security Headers and CORS

Secure HTTP header and CORS configuration

import helmet from 'helmet';
import cors from 'cors';

const app = express();

// Security headers with Helmet
app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'"],
      styleSrc: ["'self'", "https://fonts.googleapis.com"],
      imgSrc: ["'self'", "data:", "https:"],
      fontSrc: ["'self'", "https://fonts.gstatic.com"],
      connectSrc: ["'self'", "https://api.yourdomain.com"],
      frameAncestors: ["'none'"],  // Clickjacking protection
      objectSrc: ["'none'"],
    }
  },
  referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
  hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
}));

// Restrictive CORS
app.use(cors({
  origin: ['https://yourdomain.com'],
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
  allowedHeaders: ['Content-Type', 'Authorization'],
  credentials: true,
  maxAge: 86400 // Cache preflight for 24 hours
}));

Common Misconfiguration Mistakes

Access-Control-Allow-Origin: * in production
Full stack traces visible in error responses
Default credentials left unchanged (admin/admin)
Debug ports (9229 for Node.js) exposed in production
.env files publicly accessible
Directory listing enabled on the web server

A03:2025 - Software Supply Chain Failures (NEW)

This is one of the most significant additions to the OWASP Top 10 2025. Software Supply Chain Failures expands the former A06:2021 (Vulnerable and Outdated Components) to cover a much broader scope: not just vulnerable dependencies, but the entire ecosystem of build systems, distribution infrastructure, and software update mechanisms.

In 2025 this category registered the highest average incidence rate (5.19%) of all categories when tested. It was also overwhelmingly voted the top concern in the OWASP community survey, signaling that security practitioners consider supply chain attacks the fastest-growing threat class.

Supply Chain Attack Types

Software supply chain attacks come in several forms, each with different sophistication levels:

Typosquatting: malicious packages with names similar to popular libraries (e.g. lodahs instead of lodash, expres instead of express)
Dependency Confusion: a public package with the same name as an internal one gets installed instead of the legitimate package
Account Takeover: compromising maintainer accounts to inject malicious code into legitimate packages
Build Pipeline Poisoning: injecting malicious code into CI/CD pipelines during the build process
Slopsquatting: packages targeting dependency names hallucinated by AI coding tools

Real-World Incident: September 2025

In September 2025, a phishing campaign compromised npm maintainer accounts, resulting in the compromise of at least 27 packages with billions of weekly downloads. A self-replicating worm named Shai-Hulud infected over 500 packages before being neutralized. This incident demonstrates how critical supply chain protection has become.

Practical Supply Chain Defenses

Protecting npm dependencies

# 1. Use npm ci (not npm install) to respect the lockfile
npm ci

# 2. Audit vulnerabilities in CI/CD
npm audit --audit-level=high

# 3. Verify package signatures (npm 9+)
npm audit signatures

# 4. Block unauthorized registries in .npmrc
registry=https://registry.npmjs.org/
@mycompany:registry=https://npm.mycompany.com/

# 5. Generate and verify SBOM (Software Bill of Materials)
npx @cyclonedx/cyclonedx-npm --output-file sbom.json

Advanced protection with lockfile and version pinning

// package.json - use exact versions, not ranges
{
  "dependencies": {
    "express": "4.21.2",
    "helmet": "8.0.0",
    "cors": "2.8.5"
  },
  "overrides": {
    "vulnerable-transitive-dep": "2.1.0"
  }
}

      Supply Chain Checklist for Angular Projects
      Run npm audit in every CI/CD pipeline with a blocking threshold
Use Dependabot or Renovate for automated updates
Enable 2FA on all maintainer npm accounts
Verify package provenance before installing (npm info)
Generate an SBOM for every release and monitor it
Use npm ci (not npm install) in all automated environments
Configure an allowlist of authorized registries in .npmrc

    

A04-A07: Overview of Confirmed Categories

A04:2025 - Cryptographic Failures

Drops from #2 to #4 but remains a critical vulnerability. It covers inadequate protection of sensitive data: passwords stored in plaintext or with weak hashing algorithms (MD5, SHA1), cryptographic keys hardcoded in source code, data transmitted without HTTPS, and the use of obsolete encryption algorithms.

Password hashing: vulnerable vs secure

import bcrypt from 'bcrypt';
import crypto from 'crypto';

// VULNERABLE: MD5 is not secure for passwords
const insecureHash = crypto.createHash('md5').update(password).digest('hex');

// SECURE: bcrypt with adequate salt rounds
const SALT_ROUNDS = 12;
const secureHash = await bcrypt.hash(password, SALT_ROUNDS);

// SECURE: password verification without timing attacks
const isValid = await bcrypt.compare(inputPassword, storedHash);

A05:2025 - Injection

Injection drops from #3 to #5, a sign that countermeasures (ORMs, parameterized queries, built-in sanitizers) have gained wider adoption. However, it remains dangerous. This category covers SQL Injection, NoSQL Injection, Command Injection, LDAP Injection, and XSS.

SQL Injection: the most important defense

// VULNERABLE: direct concatenation
const query = `SELECT * FROM users WHERE email = '#123;userInput}'`;
// Malicious input: ' OR '1'='1' --

// SECURE: parameterized queries (PostgreSQL)
const result = await pool.query(
  'SELECT * FROM users WHERE email = $1',
  [userInput]
);

// SECURE: ORM with automatic sanitization (TypeORM)
const user = await userRepository.findOneBy({
  email: userInput  // TypeORM sanitizes automatically
});

A06:2025 - Insecure Design

Concerns flaws in the application's design rather than its implementation. Missing threat modeling, ignoring the principle of least privilege, and omitting controls like rate limiting are all examples of insecure design. The key distinction: a secure design may have implementation bugs, but an insecure design cannot be fixed with better code alone.

A07:2025 - Authentication Failures

Authentication failures include: accepting weak passwords, sessions that never expire, JWT tokens without expiration or with weak secrets, and absence of Multi-Factor Authentication. The primary defense is implementing JWTs with short expiration, secure refresh tokens, and rigorous credential validation.

A08-A09: Integrity and Monitoring

A08:2025 - Software or Data Integrity Failures

This category focuses on maintaining trust boundaries and verifying the integrity of software, code, and data artifacts at a more granular level than Supply Chain (A03). It covers: CI/CD pipelines without integrity checks, auto-updates without signature validation, deserialization of untrusted data, and missing Subresource Integrity (SRI) for external resources.

Subresource Integrity for CDN resources

<!-- VULNERABLE: external script without verification -->
<script src="https://cdn.example.com/lib.js"></script>

<!-- SECURE: SRI verifies file integrity -->
<script
  src="https://cdn.example.com/lib.js"
  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/ux..."
  crossorigin="anonymous">
</script>

A09:2025 - Security Logging and Alerting Failures

Renamed in 2025 with "Alerting" replacing "Monitoring" to stress the importance of not just recording events but generating active alerts when anomalies occur. Without structured logging and alerting, a breach can remain undetected for months.

Structured logging for security events

import winston from 'winston';

const securityLogger = winston.createLogger({
  level: 'info',
  format: winston.format.combine(
    winston.format.timestamp(),
    winston.format.json()
  ),
  defaultMeta: { service: 'auth-service' },
  transports: [
    new winston.transports.File({ filename: 'security.log' }),
  ]
});

// CRITICAL events to log and alert on
function logFailedLogin(email: string, ip: string): void {
  securityLogger.warn({
    event: 'FAILED_LOGIN',
    email,
    ip,
    timestamp: new Date().toISOString(),
    alert: true  // Flag for the alerting system
  });
}

// RULE: 5 failed logins from the same IP = immediate alert
// RULE: admin access from unknown IP = immediate alert
// RULE: permission changes outside business hours = immediate alert

      What to Log (and What NOT to Log)
      Log: successful/failed logins, denied access (403), sensitive data changes, admin actions
Do NOT log: passwords, tokens, credit card numbers, full personal data
Alert on: anomalous login patterns, access from unusual geolocations, spikes in 4xx/5xx errors

    

A10:2025 - Mishandling of Exceptional Conditions (NEW)

The second major addition in 2025. This category contains 24 CWEs related to improper handling of errors, exceptions, and abnormal conditions. The core concept is "fail-open": when an application, upon encountering an error, grants access or continues an operation instead of blocking it.

Exceptional conditions can stem from: missing or incomplete input, unexpected environmental states (memory, network, permissions), error handling at high levels instead of where errors actually occur, and exceptions that are not handled at all.

Key CWEs in This Category

CWE-209: Error messages containing sensitive information
CWE-234: Failure to handle missing parameters
CWE-274: Improper handling of insufficient privileges
CWE-476: NULL pointer dereference
CWE-636: "Failing Open" - not failing securely

Example: Fail-Open in Authentication

Error handling that creates vulnerabilities

// VULNERABLE: fail-open - on error the user gets through
async function verifyToken(req: Request, res: Response, next: NextFunction) {
  try {
    const token = req.headers.authorization?.split(' ')[1];
    const decoded = jwt.verify(token!, process.env.JWT_SECRET!);
    req.user = decoded;
    next();
  } catch (error) {
    // CRITICAL BUG: on exception, execution continues anyway!
    console.log('Token verification failed, continuing...');
    next(); // Unauthenticated user accesses protected resources
  }
}

// SECURE: fail-closed - on error access is denied
async function verifyToken(req: Request, res: Response, next: NextFunction) {
  try {
    const token = req.headers.authorization?.split(' ')[1];
    if (!token) {
      return res.status(401).json({ error: 'Missing token' });
    }
    const decoded = jwt.verify(token, process.env.JWT_SECRET!);
    req.user = decoded;
    next();
  } catch (error) {
    // CORRECT: on error, block access
    return res.status(401).json({ error: 'Authentication failed' });
  }
}

Example: Information Leakage Through Errors

Error messages that reveal sensitive information

// VULNERABLE: exposes internal system details
app.use((err: Error, req: Request, res: Response, next: NextFunction) => {
  res.status(500).json({
    error: err.message,
    stack: err.stack,           // Reveals filesystem paths
    query: (err as any).sql,    // Reveals database structure
    config: (err as any).config // Could reveal credentials
  });
});

// SECURE: generic messages in production, details only in development
const isProduction = process.env.NODE_ENV === 'production';

app.use((err: Error, req: Request, res: Response, next: NextFunction) => {
  // Log details internally
  securityLogger.error({
    message: err.message,
    stack: err.stack,
    url: req.originalUrl,
    method: req.method,
    ip: req.ip
  });

  // Return only a generic message to the client
  res.status(500).json({
    error: isProduction
      ? 'An error occurred. Please try again later.'
      : err.message
  });
});

Example: Resource Exhaustion from Poor Exception Handling

Resource leaks when exceptions are not properly handled

// VULNERABLE: file handle is not released on error
async function processUpload(filePath: string): Promise<void> {
  const handle = await fs.open(filePath, 'r');
  const data = await handle.readFile(); // If this fails, handle stays open
  await processData(data);
  await handle.close();
}

// SECURE: try/finally pattern guarantees resource release
async function processUpload(filePath: string): Promise<void> {
  let handle: fs.FileHandle | null = null;
  try {
    handle = await fs.open(filePath, 'r');
    const data = await handle.readFile();
    await processData(data);
  } catch (error) {
    securityLogger.error({ event: 'UPLOAD_FAILED', filePath, error });
    throw new AppError('File processing failed', 500);
  } finally {
    if (handle) {
      await handle.close(); // Always executed, even on error
    }
  }
}

Core Principle: Fail-Closed

Whenever an exception occurs in a security-sensitive context, the system must deny access by default (fail-closed), never grant it (fail-open). This applies to authentication, authorization, input validation, and any decision that affects security.

Focus: Security of AI-Generated Code

With the widespread adoption of AI coding tools (Copilot, ChatGPT, Claude, Cursor), a new risk has emerged: the security posture of automatically generated code. According to the Veracode GenAI Code Security Report 2025, which analyzed code produced by over 100 LLMs across 80 real-world tasks, the findings are concerning.

AI Security by the Numbers

45% of AI-generated code samples fail security tests and introduce OWASP Top 10 vulnerabilities
72% failure rate for AI-generated Java code
38-45% failure rate for Python, C#, and JavaScript
86% failure rate specifically for Cross-Site Scripting (CWE-80)
88% failure rate specifically for Log Injection (CWE-117)

The Problem Is Not Improving

AI models make the wrong security choices nearly half the time, and this is not improving with larger models. The problem is systemic: models are trained on public code that often contains the very vulnerabilities they should avoid. AI-generated code always requires a human security review.

Security Checklist for AI-Generated Code

Never accept AI-generated code without a security code review
Verify that database queries are parameterized (no concatenation)
Check that user input is validated and sanitized at every entry point
Ensure secrets are not hardcoded in the generated code
Verify error handling follows fail-closed behavior, not fail-open
Check permissions and authorization: AI frequently generates code without access controls
Run automated SAST (Static Application Security Testing) on all AI-generated code

Angular-Specific Security Checklist

Angular ships with several built-in security protections, but it is essential to understand them and avoid disabling them inadvertently. Here is a targeted checklist for Angular applications:

Built-in XSS Protection

DomSanitizer: when to use it and when not to

import { DomSanitizer, SafeHtml } from '@angular/platform-browser';

// Angular automatically sanitizes template bindings
// Double curly brace interpolation automatically escapes HTML

// DANGEROUS: bypassing the sanitizer
@Component({
  template: `<div [innerHTML]="trustedHtml"></div>`
})
export class UnsafeComponent {
  trustedHtml: SafeHtml;

  constructor(private sanitizer: DomSanitizer) {
    // ONLY if the content is fully trusted and under your control
    this.trustedHtml = this.sanitizer.bypassSecurityTrustHtml(content);
  }
}

// SAFE: let Angular sanitize automatically
@Component({
  template: `<div [textContent]="userContent"></div>`
})
export class SafeComponent {
  userContent = ''; // Angular escapes automatically
}

HttpClient and Security Interceptor

Interceptor for authentication and error handling

import { HttpInterceptorFn, HttpErrorResponse } from '@angular/common/http';
import { inject } from '@angular/core';
import { Router } from '@angular/router';
import { catchError, throwError } from 'rxjs';

export const authInterceptor: HttpInterceptorFn = (req, next) => {
  const router = inject(Router);
  const token = getStoredToken(); // From a secure service

  // Add the token only to requests targeting your API
  const secureReq = req.url.startsWith('/api')
    ? req.clone({
        setHeaders: { Authorization: `Bearer #123;token}` }
      })
    : req;

  return next(secureReq).pipe(
    catchError((error: HttpErrorResponse) => {
      if (error.status === 401) {
        // Expired or invalid token: redirect to login
        router.navigate(['/login']);
      }
      // Do not expose error details in the UI
      return throwError(() => new Error('Request failed'));
    })
  );
};

Route Guard with Functional API

Route protection with functional guards (Angular 16+)

import { CanActivateFn, Router } from '@angular/router';
import { inject } from '@angular/core';

export const authGuard: CanActivateFn = (route, state) => {
  const authService = inject(AuthService);
  const router = inject(Router);

  if (!authService.isAuthenticated()) {
    // Redirect to login with return URL
    router.navigate(['/login'], {
      queryParams: { returnUrl: state.url }
    });
    return false;
  }

  // Check role if required by the route
  const requiredRole = route.data?.['role'];
  if (requiredRole && !authService.hasRole(requiredRole)) {
    router.navigate(['/unauthorized']);
    return false;
  }

  return true;
};

Content Security Policy for Angular

CSP header for Angular applications

Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'nonce-RANDOM_VALUE';
  style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
  font-src 'self' https://fonts.gstatic.com;
  img-src 'self' data: https:;
  connect-src 'self' https://api.yourdomain.com;
  frame-ancestors 'none';
  base-uri 'self';
  form-action 'self';

      Final Angular Checklist
      Do not use bypassSecurityTrustHtml with user-supplied content
Use HttpClient with interceptors for centralized token handling and error management
Implement functional Route Guards for all protected routes
Configure a restrictive CSP on the server that serves the Angular application
Do not store JWT tokens in localStorage: prefer HttpOnly cookies
Always validate server-side: Angular guards protect only the UI, not the API
Use the --subresource-integrity flag in ng build to generate SRI hashes
Keep Angular up to date: every release includes security patches

    

Conclusions and Action Plan

The OWASP Top 10 2025 reflects a threat landscape in rapid evolution. The two new categories, Supply Chain Failures and Mishandling of Exceptional Conditions, are not academic additions: they represent concrete threats hitting real applications daily. The rise of Security Misconfiguration to position number two confirms that the complexity of modern infrastructure creates ever-expanding attack surfaces.

Developer Action Plan

Here is a practical three-phase roadmap to strengthen your application's security posture:

Week 1 - Fundamentals: Implement access controls on all API endpoints (A01), configure security headers with Helmet (A02), and enable npm audit in your CI/CD pipeline (A03)
Week 2 - Data Protection: Migrate to bcrypt/argon2 for passwords (A04), verify all queries are parameterized (A05), and implement rate limiting (A06)
Week 3 - Monitoring: Set up structured logging with alerting (A09), review all catch blocks to eliminate fail-open patterns (A10), and generate a dependency SBOM (A03)

Next Articles in This Series

Upcoming articles will dive deep into individual web security areas with hands-on guides and complete code:

Article 02: XSS and CSRF - Cross-Site Attacks and how to prevent them in Angular
Article 03: SQL Injection and NoSQL Injection - Deep dive with Node.js and MongoDB
Article 04: Secure Authentication - JWT, OAuth2, and sessions

Web application security is not a one-time checkpoint: it is a continuous process that must be woven into every phase of development, from design through production. As developers, we carry the responsibility of writing secure code by default. The OWASP Top 10 vulnerabilities represent the absolute minimum every developer must understand. Preventing a vulnerability always costs less than dealing with its consequences.