Wrapping Up

In this chapter we covered a whopping amount of information about XSS. Its large attack surface makes it difficult to evade, but you now know the various OWASP rules on how to avoid XSS flaws in your application. You should be able to identify different attack points and know when to apply which encoding rules.

XSS is not the only attack vector on the client side. In the next chapter, we look at another one: CSRF (cross-site request forgery).

Footnotes

[65]

https://developer.mozilla.org/en/docs/Security/CSP

[66]

https://github.com/helmetjs/csp

[67]

https://developer.mozilla.org/en-US/docs/Security/CSP/Using_Content_Security_Policy

[68]

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

[69]

http://embeddedjs.com/ ...

Get Secure Your Node.js Web Application now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial