#####   ######  #####    ###    #   #  ###  #   #  ######
##  ##  ##      ##  ##  ## ##   #   #   #   #   #  ##
#####   ####    #####   #   #   #   #   #   #   #  ####
##  #   ##      ##      ## ##    # #    #    # #   ##
##   #  ######  ##       ###      #    ###    #    ######

$ curl repovive.com/roadmaps/system-design-interview-prep/security-fundamentals/xss-prevention

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██████████████████████████████████████████████████████████████████████████████████████████████

#####   ######  #####    ###    #   #  ###  #   #  ######
##  ##  ##      ##  ##  ## ##   #   #   #   #   #  ##
#####   ####    #####   #   #   #   #   #   #   #  ####
##  #   ##      ##      ## ##    # #    #    # #   ##
##   #  ######  ##       ###      #    ###    #    ######

$ curl repovive.com/roadmaps/system-design-interview-prep/security-fundamentals/xss-prevention

Repovive

XSS Prevention - Security Fundamentals | System Design Interview Prep | Repovive

Repovive.

System Design Interview Prep22 sections · 691 units23h total

Open in Course

XSS Prevention

Cross-site scripting defense

XSS injects malicious scripts into pages viewed by other users:

Stored XSS: Attacker saves script in database (comment field). Every viewer executes it.

Reflected XSS: Script in URL parameter gets rendered in response.

Prevention:

$1.$ Output encoding: Escape HTML entities before rendering

< becomes &lt;
> becomes &gt;

$2.$ Content Security Policy: HTTP header restricts script sources

Content-Security-Policy: script-src 'self'

$3.$ HttpOnly cookies: JavaScript can't access auth tokens

$4.$ Framework auto-escaping: React, Vue escape by default