A Training Series — Internal Engineering

The four levels of API security in Node.js + Angular.

No analogies. No metaphors. Just real code, honest benchmarks, and a clear answer to the only question that matters: what does my project need?

Security levels

0.16ms

Cost of L3 / request

30ms

Network round-trip

99%

Use Level 2 + 3

01What you'll learn

Every level explained as actual Node.js + Angular code — not diagrams, not theory. You'll see what changes on the server, what changes in the browser, and what each layer protects you against in practice.

By the end of this series you'll know exactly which level fits which endpoint, and have benchmark numbers you can take to a code review when someone tries to wave hands about "performance concerns."

02The four levels

Each level builds on the previous. You can stop at any point — the right answer for most apps is somewhere between L2 and L3.

01 HTTPS Only Just turn on TLS. No code changes. Padlock in the browser, traffic encrypted in transit. Read → 02 HTTPS + JWT Login, tokens, middleware. The baseline for 99% of real apps. This is non-negotiable. Read → 03 HTTPS + JWT + AES An extra encryption envelope around payloads. Defends against TLS-decrypting proxies and leaky logs. Read → 04 End-to-End Even your server can't read the data. Keys live only in the user's browser. WhatsApp-grade. Read →

03Honest benchmarks

Real numbers from real code — Node's native crypto module and the browser's crypto.subtle API. 1,000 iterations each. Median, not average.

μs Performance Benchmarks Per-request cost across all four levels, plus mobile-device multipliers and a side-by-side comparison with the things that actually slow your app down (network, DB). View benchmarks →

04Where your project fits

For a typical Angular + Node.js REST API, the recommendation is straightforward:

→ Default

Level 2 on every protected endpoint. JWT auth, no exceptions. This is the baseline for everything you ship.

→ Add selectively

Level 3 on sensitive endpoints only. Payment info, OTPs, government IDs, medical records. The cost is 0.16 ms per request — invisible.

→ Skip unless required

Level 4 is for messaging apps and password vaults. The RSA-per-message pattern adds 5–15 ms per call. Don't pay that cost without a clear reason.

Most secure Indian fintech apps — PhonePe, Razorpay merchant dashboards — work this way: Level 2 on everything, Level 3 on payment & KYC endpoints. That's the same recommendation in our client deck.

05How to use this guide

Read the four levels in order — each one assumes the previous. The benchmark page is reference material; come back to it when someone questions whether encryption is "worth the performance hit."

If you're presenting to a client or non-technical stakeholder, the comparison table at the end of each level page and the "bottom line" section in the benchmarks page are your talking points.