To prevent cross-site vulnerabilities and prevent attackers from publishing cross-site attack statements on the attacked website. They cannot trust any content submitted by users. , "'" and other characters for filtering; Secondly, any content written to the page must be encode, to avoid accidentally get out the HTML tag. This level can be used to block at least half of all XSS attacks. 2. Cookies, guard against theft
First, avoid disclosing user privacy directly in cookies, such as email, password, etc. Secondly, cookie and system IP binding can reduce the risk of cookie disclosure. In this way, the cookie obtained by an attacker has no real value and cannot be used for replay.
3. Try to use POST instead of GET form is submitted
It is impossible to bypass the use of javascript for POST operations, which makes it more difficult for attackers and reduces the number of cross-site vulnerabilities available.
4. Refer strictly
Check if the HTTP refer came from an expected url. This prevents HTTP requests made by the type 2 attack, and also prevents most of the type 1 attack unless cross-site access happens to be planted on the reference page of the privileged operation.
5. Change the single-step process into multi-step process, and introduce validation code in the multi-step process
In the multi-step process, a verification code is generated for each step as hidden form element embedded in the middle page. In the next step, the verification code is submitted to the server, and the server checks whether the verification code matches.
For one thing, this adds a lot of headaches to the first type of attacker. Secondly, the attacker must get the validation code generated by the previous step in the multi-step process to launch the next request, which is almost impossible to do in the second type of attack.
6. Introduce user interaction
A simple number can be blocked by almost all the unexpected privileges of operation.
7.Use dynamic javascript only where anonymous is allowed.
8. For the img and other links in the user submitted information, check whether there are redirected back to the site, pictures that are not true and other suspicious operations.
9. Internal management of the website
In many cases, internal management sites tend to neglect security issues and simply restrict access to sources. Such sites are often vulnerable to XSS attacks and need to be taken care of. Security is a long-term concern and has never been a one-size-fits-all business. Compared with other attack means, XSS attack is more covert and changeable, which is related to business process and code implementation. There is no one-and-done solution. In addition, in the face of XSS, the convenience of products is often sacrificed to ensure complete security. How to balance security and convenience is also a matter to be considered.