XSS and CSRF Prevention
Protect against Cross-Site Scripting and Cross-Site Request Forgery.
XSS Prevention
Server-Side
- Input sanitization — all user input is sanitized via DTOs
- Output encoding — template engines auto-encode
- Content-Security-Policy — restrict script sources
// class-validator on DTOs
@IsString()
@MaxLength(255)
@Transform(({ value }) => sanitizeHtml(value))
title: string;
Client-Side (Angular)
Angular auto-escapes all template bindings:
<!-- Safe: auto-escaped -->
<p>{{ userInput }}</p>
<!-- Dangerous: bypasses sanitization -->
<div [innerHTML]="userInput"></div>
Use Angular's DomSanitizer for trusted HTML:
this.sanitizer.bypassSecurityTrustHtml(trustedHtml);
CSRF Prevention
Token-Based
For cookie-based auth, use CSRF tokens:
app.use(csurf({ cookie: true }));
JWT Alternative
Gauzy primarily uses JWTs in the Authorization header, which is inherently CSRF-proof since:
- Tokens are in headers, not cookies
- Browsers don't auto-attach Authorization headers
Security Checklist
- Angular template auto-escaping
- Server-side input validation
- CSP headers configured
- JWT-based auth (CSRF-resistant)
- HttpOnly cookies for refresh tokens
- SameSite cookie attribute
Related Pages
- Content Security Policy — CSP configuration
- Security Headers — all security headers
- Input Validation — server validation