The single most common serious vulnerability and how to avoid it

Teo Selenius Senior Security Specialist

Teo Selenius

Senior Security Specialist

June 21, 2021 at 08:13

Attention developers and product owners!

Nixu's application security expert Teo Selenius is sharing his discoveries and latest application features in his AppSec Monkey blog for other developers, technical security experts and for those that want to learn about these topics.

Cross-site scripting (XSS) vulnerabilities are widespread, and the impact of such an attack can be devastating to your business.

It's crucial then that developers follow good practices to avoid such vulnerabilities. You can read about how XSS creeps into your code and how to prevent it here:
https://appsecmonkey.com/blog/xss.

The good news is that a single browser security control can prevent XSS attacks even when your application is vulnerable, and that is the content security policy or CSP.

CSP gives your web application a set of rules that the browser will enforce. One such directive could be "Don't execute any JavaScript code on this page unless it's specifically allowed with a nonce or hash." This rule would prevent an attacker-injected script from executing on your page.

Read about CSP with runnable examples for different use cases here:
https://appsecmonkey.com/blog/content-security-policy.

Related blogs