O'Reilly logo

Mastering Web Application Development with Express by Alexandru Vlăduțu

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Cross-site scripting

A Cross-site scripting (XSS) type of attack allows hackers to inject malicious client-side scripts into web applications. Once the script is injected into a trusted website, it has access to the user's sensitive information such as cookies, the content of the page, and others.

To guard our Express applications against this type of attack, we should employ the following techniques:

  • Validate data sent by the user (input)
  • Sanitize output stored on the backend, such as into a database
  • Enable content-security policy

Validating input

We should always try to validate data sent by the users before processing it. In some situations, we can validate it against a list of known values, but this isn't always the case.

A handy module to do validation ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required