Skip to content

Commit

Permalink
Merge pull request #438 from bugcrowd/self-stored-XSS
Browse files Browse the repository at this point in the history 
Updates to rec for Self-Stored XSS
  • Loading branch information
@RRudder
RRudder authored May 15, 2024
2 parents f5b8ccc + 9784af0 commit 3cd8e1c
Showing 1 changed file with 1 addition and 2 deletions.
3 changes: 1 addition & 2 deletions submissions/description/cross_site_scripting_xss/stored/self/recommendations.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,9 @@
There is no single technique to stop XSS from occurring. However, implementing the right combination of defensive measures within the application will prevent and limit the impact of XSS. Some best practices include the following:

- All user input fields should be sanitized based on what the field is likely to contain. For example, a date field (01/01/2001) should only contain a maximum of 10 characters consisting of numbers and forward slashes. Additionally, drop down or pick lists can be used for allowable inputs to ensure expected values are sent to the server.
- Use appropriate HTTP response headers to ensure the browser correctly interprets responses. These should be customized specific to the application and its environment. For example:
- Implement a Content Security Policy (CSP) to ensure the browser correctly interprets responses and restricts which sources can be used to execute scripts. This should be customized specific to the application and its environment. For example:

``` HTTP
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src ‘self’; script-src ‘self’
```
Expand Down

0 comments on commit 3cd8e1c

Please sign in to comment.