locked
XSS Attack in Angular RRS feed

  • Question

  • User1413134711 posted

    Already made a big application in angular want to prevent XSS attack but not to do code in each page.

    Any common page  suggestion client side and server side will helpful.

    Monday, February 12, 2018 11:17 AM

All replies

  • User527778624 posted

    Hi,

    follow below rules:

    1. Use HttpOnly cookies.
    2. Sanitize what user enters
    3. include trusted npm and js libs only

    https://www.codeproject.com/Articles/1100429/How-to-Solve-XSS-Attack

    Monday, February 12, 2018 3:13 PM
  • User283571144 posted

    Hi PRINCE,

    Already made a big application in angular want to prevent XSS attack but not to do code in each page.

    Any common page  suggestion client side and server side will helpful.

    As far as I know, if you use the asp.net core, you could set the X-XSS-Protection at the Code Level as below:

    public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
    {
    	app.Use(async (context, next) =>
    	{
    		context.Response.Headers.Add("X-Xss-Protection", "1");
    		await next();
    	});
     
    	app.UseMvc();
    }
    

    Or you could enable the X-Xss-Protection at Server level.

    You could follow below step to enable the X-XSS-Protection in IIS.

    1. Open IIS Manager and on the left hand tree, left click the site you would like to manage.
    2. Doubleclick the “HTTP Response Headers” icon.
    3. Right click the header list and select “Add”
    4. For the “name” write “X-Xss-Protection” and for the value write in your desired option e.g. “1”.

    Besides, angular also has its own security to prevent the XSS attack.

    More details, you could refer to below article.

    https://www.code-sample.com/2017/11/angular-prevent-xss-csrf-attacks.html 

    Best Regards,

    Brando

    Tuesday, February 13, 2018 8:11 AM