How should Xss threat should be handled in Web API? RRS feed

  • Question

  • User592084112 posted

    We are developing a Web Api solution hosted as a Azure mobile service. This Api basically exposes a back end Database entities via GET, PATCH, POST, DELETE. iOS (iPad) application will be consuming this API.

    My problem (confusion) is,

    1) Should Web API handle Xss (cross site scripting) threats? or it is client responsibility?

    2) If Web API should handle Xss threats, should i use System.Web.Security.AntiXss library? or use some other library?

    3) Should i encode (AntiXssEncoder) and save in database or encode while returning the data?

    Please let me know how should i address Xss threat in my Web API code.

    Friday, December 18, 2015 8:52 AM

All replies

  • User-1946294156 posted

    To handle XSS you first need to understand where your vulnerabilities are.  As the name would suggest, you don't want people taking over your site (cross site).  This is typically done by inserting javascript or other code that might be ran to forward users to another site. 

    You need to find out if you have this issue and how to factor for it.

    Friday, December 18, 2015 1:59 PM
  • User592084112 posted

    Thanks for your response bobj181. In my case the API consumer will be iPad application. So, no need to handle Xss in Web API? In case i have to handle Xss in Web API, what is recommended way to do it?

    Saturday, December 19, 2015 3:15 AM
  • User1066278571 posted

    Use OAuth2 with OpenId

    Greetings Damien

    Saturday, December 19, 2015 2:53 PM