Creating Secure Applications¶
This topic covers describes steps that are required to prevent common web-application attacks such as Cross-Site Scripting (XSS). Using XSS, attackers can take advantage of security vulnerabilities in your application, which can cause significate damage to your business and technical infrastructure. Using Web Components from the Web Component SDK library without implementing additional security measures that are required to build secure applications is not recommended. You can defend against common XSS attacks by encoding and validating data input on the server side.
Attackers can send malicious code in different ways, such as:
- Input elements on the page
- HTTP requests
- URI addresses that point to invalid or private data
- Cookie files
There are multiple types of XSS attacks, including:
Reflected XSS Attacks¶
In a reflected XSS attack, an attacker sends the malicious data in an HTTP request to a server that does not process the data before sending an immediate response to the browser. When the request data is not processed correctly, the response can contain malicious JavaScript that can run on a client's browser.
Stored XSS Attacks¶
Also referred to as persistent XSS, this attack happens when an attacker sends malicious code data which is then stored on the server. The malicious payload is sent in a later response to users who access the application or website.
DOM XSS Attacks¶
In DOM XSS attacks, an attacker attempts to write data to modify the DOM of a web page. Controlling JavaScript properties in the DOM can lead to undesired effects, such as being able to inject and run code on a client's browser.
Sanitize All Input and Handle Data Carefully¶
To prevent XSS attacks, you should make that any user input does not contain malicious code using the following methods:
- Encode HTML data before placing it inside an HTML element.
- Escape and sanitize input boxes to prevent malicious JavaScript code from running.
- Do not use allow data from untrusted sources to make changes to vulnerable JavaScript properties and functions.
These rules are examples that you can apply to make sure that web components such as the Grid and Text Area are safe to deploy in a production environment. You should always validate all input data, whether an application is hosted locally or available publicly.