Security issues of Angular's ng- attributes in HTML and mitigation

Question

I'm not sure whether seeing these directives in plain text poses any particular threat to our app hacking or not. But if nothing else one can clearly see our model structure and functionality. If Angular removed those after bootstrapping it would at least make it a bit harder to access...

Two questions

1. Would it be possible to remove all custom ng- attributes from markup after Angular app boostrapped? Would the app still work as expected?

2. Would it be possible to dynamically add ng- attributes on DOM Ready using jQuery, and then remove them as per #1? If this required manual app bootstrapping so be it?

By having the possibility of the #2 somehow we could externalize app configuration and HTML markup would never show any declarative directives (just in the time between configuration-bootstraping-removal). But at least there would be none if user disabled Javascript.

Answer 1

Anything that you expose via Angular will have to be exposed in some way anyway to the client if the client is supposed to show some data. If you want to have an interactive client-side application, then it needs to have some form of client-side model and data structure and code working on those things. Whether you express them purely in procedural code in a .js file or embed part of the structure into the HTML markup hardly makes any difference. It does not make anything any more hackable which wouldn't already be hackable to begin with.