XSS and CSRF Prevention
Protect against Cross-Site Scripting and Cross-Site Request Forgery.
XSS Preventionβ
Server-Sideβ
- Input sanitization β all user input is sanitized via DTOs
- Output encoding β template engines auto-encode
- Content-Security-Policy β restrict script sources
// class-validator on DTOs
@IsString()
@MaxLength(255)
@Transform(({ value }) => sanitizeHtml(value))
title: string;
Client-Side (Angular)β
Angular auto-escapes all template bindings:
<!-- Safe: auto-escaped -->
<p>{{ userInput }}</p>
<!-- Dangerous: bypasses sanitization -->
<div [innerHTML]="userInput"></div>
Use Angular's DomSanitizer for trusted HTML:
this.sanitizer.bypassSecurityTrustHtml(trustedHtml);
CSRF Preventionβ
Token-Basedβ
For cookie-based auth, use CSRF tokens:
app.use(csurf({ cookie: true }));
JWT Alternativeβ
Gauzy primarily uses JWTs in the Authorization header, which is inherently CSRF-proof since:
- Tokens are in headers, not cookies
- Browsers don't auto-attach Authorization headers
Security Checklistβ
- Angular template auto-escaping
- Server-side input validation
- CSP headers configured
- JWT-based auth (CSRF-resistant)
- HttpOnly cookies for refresh tokens
- SameSite cookie attribute
Related Pagesβ
- Content Security Policy β CSP configuration
- Security Headers β all security headers
- Input Validation β server validation