XSS and CSRF Prevention
Protect against Cross-Site Scripting and Cross-Site Request Forgery.
XSS Preventionโ
Server-Sideโ
- Input sanitization โ all user input is sanitized via DTOs
- Output encoding โ template engines auto-encode
- Content-Security-Policy โ restrict script sources
// class-validator on DTOs
@IsString()
@MaxLength(255)
@Transform(({ value }) => sanitizeHtml(value))
title: string;
Client-Side (Angular)โ
Angular auto-escapes all template bindings:
<!-- Safe: auto-escaped -->
<p>{{ userInput }}</p>
<!-- Dangerous: bypasses sanitization -->
<div [innerHTML]="userInput"></div>
Use Angular's DomSanitizer for trusted HTML:
this.sanitizer.bypassSecurityTrustHtml(trustedHtml);
CSRF Preventionโ
Token-Basedโ
For cookie-based auth, use CSRF tokens:
app.use(csurf({ cookie: true }));
JWT Alternativeโ
Gauzy primarily uses JWTs in the Authorization header, which is inherently CSRF-proof since:
- Tokens are in headers, not cookies
- Browsers don't auto-attach Authorization headers
Security Checklistโ
- Angular template auto-escaping
- Server-side input validation
- CSP headers configured
- JWT-based auth (CSRF-resistant)
- HttpOnly cookies for refresh tokens
- SameSite cookie attribute
Related Pagesโ
- Content Security Policy โ CSP configuration
- Security Headers โ all security headers
- Input Validation โ server validation