Could Angular guard prevent admin panel server side?

Question

I have a client that insists not to disclose design of the admin part of the app for security reasons.

He thought that malicious experienced user could guess things from the design.

Do Angular guards prevent users (server- side) from disclosing the admin part ?

Answer 1

I can think of 2 options:

• You put the admin side on a different Angular app, and you don't allow downloading the app from outside your company (like putting it on an internal VPC, under an internal domain name, etc).

• If you own your web-server, you can use lazy-loading for the admin module, and add a security layer on the web-server itself so it doesn't allow downloading the admin module (lazy-loaded modules have predictable names, even if they have hashes at the end).

The first option is my preferred one because:

• Then you can distribute your app through a CDN, host it in S3, etc, no need to have a web-server just because of the admin module.
• To me it's hardest to misconfigure this way as it doesn't depend on filename patterns.
• If you ever import your lazy-loaded module by mistake into another module, it stops being lazy-loaded and it will be downloaded along main.js, so the web-server won't protect you from that.