- Validate user input, only allow a very strict subset of inputs. Example: only alphanumeric characters.
Attention
Input validation can be tricky: need to understand data flow through app: quoting, encoding, passed to/from functions, databases, etc.
- Output filtering :
- Plain output : HTML encoding
Stored data values need to be encoded to represent in HTML (e.g.,
<converted to<etc). - Marked up output : Encoding + domain specific language (DSL) Use a dedicated syntax (e.g., Markdown) and convert it to a safe subset of HTML.
- Plain output : HTML encoding
Stored data values need to be encoded to represent in HTML (e.g.,
- Use HttpOnly cookies : Cookies with HttpOnly flag are not accessible via JavaScript, preventing theft via
document.cookie. - Enable Content Security Policy (CSP) : A strict CSP can prevent inline scripts and limit which domains can be requested.