Security & Networking

CSRF & XSS Prevention

Preventing Cross-Site Request Forgery and Cross-Site Scripting attacks.

CSRF Protection

# CSRF Token in form
<input type="hidden" name="csrf_token" value="token123">

# Verify token on server
if (req.body.csrf_token !== req.session.csrf_token) {
    throw new Error("Invalid token");
}

CSRF Headers

# SameSite cookie
Set-Cookie: sessionId=abc123; SameSite=Strict; Secure

# Custom header
X-CSRF-Token: token123

# Check Origin header
if (req.headers.origin !== "https://trusted.com") {
    return res.status(403).send();
}

XSS Prevention

# Escape HTML output
function escapeHtml(text) {
    const map = {
        '&': '&amp;',
        '<': '&lt;',
        '>': '&gt;'
    };
    return text.replace(/[&<>]/g, c => map[c]);
}

Content Security Policy

# CSP header
Content-Security-Policy:
    default-src 'self';
    script-src 'self' 'unsafe-inline';
    style-src 'self' 'unsafe-inline';
    img-src 'self' data:

React XSS Protection

# Safe - JSX escapes by default

{userInput}


# Unsafe - dangerouslySetInnerHTML



# Safe alternative - sanitize
import DOMPurify from "dompurify";
const clean = DOMPurify.sanitize(userInput);

Related References

Security & Networking

API Security Best Practices

Securing REST APIs with authentication and rate limiting.
Security & Networking

CORS Basics

Cross-Origin Resource Sharing configuration and headers.
Security & Networking

DNS Basics

Domain Name System records and configuration.