top | item 27970734

(no title)

chill1 | 4 years ago

> If a site is vulnerable to XSS it's basically game over security-wise.

Another reply seems to have focused on having XSS causing an attacker to gain access to session cookies. But no one has mentioned using Content-Security-Policy [0] - which if set properly can make it nearly impossible to exploit an XSS vulnerability in the first place.

[0] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

discuss

eganist|4 years ago

csp is basically only useful when eng teams don't rely on unsafe-inline and unsafe-eval as a crutch.

which far, far too many apps do.