Prevent XSS Through Configuration
Protecting against XSS is a challenge because there are many ways to get around the filters. You can derive large defensive benefits from configuration changes, so letâs begin there.
Proper configuration is the most generic, easiest, and often most useful part of mitigating XSS. The following options narrow the XSS vulnerability area and mitigate possible damages caused by malicious scripts.
The first step is to set the HttpOnly flag on cookies. We covered this flag in âSecure the Cookies so No One Can Steal Themâ. Since the main aim of XSS is to hijack the userâs session, the script typically asks for document.cookie containing the sessionID and forwards it to the attacker. If you set the HttpOnly ...
Get Secure Your Node.js Web Application now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
