Services Portfolio Team Academy Blog Contact

XSS Attacks: The Browser Against You

249 1 min

XSS — an attacker injects JavaScript code into a web page and runs it in other users' browsers. Reflected XSS: malicious code is in the URL; the victim follows that URL. Stored XSS: code is saved in the database (comments, posts). DOM-based XSS: hidden within client-side JavaScript.

Defence: Output encoding — all special characters are escaped when rendering to HTML (<, &). Content Security Policy (CSP) header controls inline scripts and external sources. HttpOnly and Secure cookie flags prevent JavaScript from reading cookies. React, Vue, and Angular automatically protect against XSS — be cautious with dangerouslySetInnerHTML.

Share