i was wondering if there was a way to prevent XSS by creating a safe layer within the storage of cookies in the browser locally? Or would there be any unique ways to protect against XSS. I know this has probably been done before but I am rather new at this so would appreciate any help. Thanks
Asked
Active
Viewed 91 times
3
-
XSS doesn't need cookies, so such efforts would only be partially successful at best. – dandavis Sep 16 '17 at 20:13
1 Answers
3
You cannot prevent XSS by using cookies, but you can prevent successful XSS attacks from stealing your cookies by setting the HTTP-only flag. HTTP-only cookies are not visible in the context of the javascript engine. This is the only connection I can see between XSS and cookies.
What you should look into instead, is the CSP (Content Security Policy) HTTP-header. It instruct the browser where its allowed to load content and scripts from.
There are many questions and answers regarding CSP that can aid you here. https://security.stackexchange.com/search?q=csp
Dog eat cat world
- 5,759
- 1
- 27
- 46