0Pricing
Frontend Academy · Lesson

XSS Prevention: Output Encoding CSP

Understand reflected, stored, and DOM-based XSS, escape user-controlled output, avoid innerHTML with untrusted data, and add a Content Security Policy header.

What Is XSS?

Cross-Site Scripting happens when an attacker injects executable JavaScript into your page. The browser runs it with your origin's privileges — stealing cookies, hijacking sessions, defacing the page, redirecting to malware.

Three Flavours of XSS

Stored: malicious script saved in DB, served to every visitor. Reflected: input echoed back in the response (?q=<script>...). DOM-based: client-side JS writes untrusted data into the DOM.

All lessons in this course

  1. XSS Prevention: Output Encoding CSP
  2. CSRF: SameSite Cookies and Tokens
  3. Content Security Policy: nonce and hash
  4. OAuth Flows from the Frontend
← Back to Frontend Academy