categories.security Basic
XSS Cross-Site Scripting Attack and Defense
Explain XSS attack types and defense strategies.
XSS Types
Stored XSS
Malicious script is stored in the database and executes on every page render. Most dangerous.
Reflected XSS
Malicious script is embedded in URL parameters and reflected by the server to the page.
DOM-based XSS
Occurs when client-side JavaScript unsafely inserts user input into the DOM.
Defense Strategies
Output Encoding
HTML-encode special characters (<, >, ", &) when rendering to HTML.
Content Security Policy (CSP)
Use HTTP headers to tell browsers to only execute scripts from approved sources.
HttpOnly Cookie
Mark cookies as HttpOnly to prevent JavaScript from reading session tokens.
Framework Protections
React and Vue escape template interpolations by default. Avoid dangerouslySetInnerHTML.
✦ AI Mock Interview
Type your answer and get instant AI feedback
Sign in to use AI scoring