Cross-Site Scripting, a Top 10 threat

XSS is one of the most common attacks a website will face, we can help

What is XSS?

Cross-Site Scripting, or XSS, has consistently been ranked as one of the Top 10 threats a web application will face by OWASP, the Open Web Application Security Project. In short, XSS happens when an attacker can inject something into your website that you don't want to be there.

Imagine a comment or review section on your site where customers or visitors can leave their own remark. They're supposed to type a nice message into the field which will then be saved and shown on your website to other visitors. What if they type something else in there? What if they type malicious code in the field?

Whilst a basic example, this is the very essence of an XSS attack; someone managed to get hostile code into your website.

Relevant Products
Content Security Policy

An example of XSS

Mitigating XSS

The first lines of defence against XSS are a combination of input sanitisation and output encoding. Using the example above, when the user submits a comment or review you should check that it doesn't contain anything hostile, like JavaScript, which should be filtered or rejected. The second step is to then properly encode the comment when being rendered into the HTML context to be displayed on the website.

If done properly these methods would protect a site from XSS attacks like our example, but having just a single line of defence is never a great idea, we need defense-in-depth. There are also many other ways that this hostile script could find its way into your site, input sanitisation and output encoding simply aren't enough.

Content Security Policy

The last and ultimate line of defence against XSS is Content Security Policy. With CSP we change the approach slightly by whitelisting all allowed content on our site. If content is whitelisted then it is allowed to run, if it's not then the browser will block it.

With this approach if hostile content is somehow injected into your site and gets by other countermeasures, the browser will be your last line of defense and neutralise the attack. The final piece of the puzzle is of course reporting.

With CSP reports sent back by the browser you can know that an attack was neutralised and then address the root cause using the information in the report itself.

An example CSP report

Some facts about us

37k+ Domains Monitored
1.22T+ Reports Processed
1k+ Alexa Top 1M Sites

Simple Pricing

Select your usage


Per Month*

Enterprise Accounts

We can tailor a package to your exact requirements with custom usage, billing and SLA. You need an enterprise account if you're looking for any of the following features, just get in touch!

  • Invoicing
  • Managed/Dedicated Instance
  • Geographic Hosting/Processing
  • Custom or Unlimited Usage
  • Support SLA
  • Custom Terms

We're Trusted By

Award Winning Service