Prevent XSS Through Configuration
Protecting against XSS is a challenge because there are many ways to get around the filters. You can derive large defensive benefits from configuration changes, so let’s begin there.
Proper configuration is the most generic, easiest, and often most useful part of mitigating XSS. The following options narrow the XSS vulnerability area and mitigate possible damages caused by malicious scripts.
The first step is to set the HttpOnly flag on cookies. We covered this flag in Secure the Cookies so No One Can Steal Them. Since the main aim of XSS is to hijack the user’s session, the script typically asks for document.cookie containing the sessionID and forwards it to the attacker. If you set the HttpOnly flag on ...
Get Secure Your Node.js Web Application now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.