Doctor

@doctoridze

918 Following

585 Followers

Doctor pfp

As a rule of thumb, you should always encode HTML entities, such as the < and > characters, when they come from untrusted sources. To escape URIs and JavaScript code, you can use free escaping/encoding tools such as the JavaScript String Escaper and URL Encoder/Decoder by FreeFormatter.

0 reply

0 recast

1 reaction

Doctor pfp

While encoding adds an extra character before a potentially dangerous character, such as the \ character before the quotation mark in JavaScript, escaping converts a character into an equivalent but safe format, for instance the > character into the > string in HTML.

0 reply

0 recast

0 reaction

Doctor pfp

Escape or encode user input To avoid XSS attacks, it’s also important to escape or encode incoming or unsafe data. Escaping and encoding are two technologies that convert special characters that can pose a security risk into a safe form.

0 reply

0 recast

0 reaction

Doctor pfp

This is a web API that extends the JavaScript interfaces belonging to different HTML elements used in forms, such as HTMLInputElement, HTMLSelectElement, and HTMLButtonElement and provides useful properties and methods for checking input validity against different constraints, reporting validity status, and performing other actions.

0 reply

0 recast

0 reaction

Doctor pfp

In addition to these HTML5 attributes, modern browsers also come with support for the Constraint Validation API that lets you perform custom input validation using JavaScript.

0 reply

0 recast

0 reaction

Doctor pfp

HTML5 forms come with built-in form validation attributes such as required, min, max, type, and others that let you check user data and return error messages without any JavaScript on the client side. You can also use the pattern HTML attribute to validate the value of an input using a Regular Expression.

1 reply

0 recast

0 reaction

Doctor pfp

Validate user input Validating user input on both the client- and server-side is essential to avoid malicious code injections.

0 reply

0 recast

0 reaction

Doctor pfp

If you don’t have any inline scripts on your page, it’s easier to set up a more effective CSP. You can use the script-src and default-src directives to block all inline scripts, so if any malicious inline script tries to execute on your site, it will automatically fail.

0 reply

0 recast

0 reaction

Doctor pfp

For better security, we’d also recommend that you establish a content security policy (CSP). This is a security layer in the communication between client and server that allows you to add content security rules to your HTTP response header.

0 reply

0 recast

0 reaction

Doctor pfp

Using inline script tags makes your website or application more vulnerable to cross-site scripting (XSS) attacks. You can avoid this JavaScript security risk by adding all your scripts, including inline event handlers (e.g. onclick), as external .js files.

2 replies

0 recast

0 reaction

Doctor pfp

Avoid using inline JavaScript and establish a Content Security Policy

0 reply

0 recast

0 reaction

Doctor pfp

In your HTML code, you need to add the hash value you’ve generated for the external JavaScript file to the integrity attribute of the <script> or <link> element. To make the SRI checking work, you also need to add the crossorigin=anonymous attribute that makes it possible to send a cross-origin request without any credentials.

0 reply

0 recast

0 reaction

Doctor pfp

To generate the hash value, you can use a generator such as SRI Hash Generator or a command-line tool such as OpenSSL or Shasum (see the respective shell commands).

1 reply

0 recast

0 reaction

Doctor pfp

Subresource Integrity (SRI) checking is a feature built into modern web browsers (see browser support) that uses a cryptographic hash to verify the integrity of an external script.

0 reply

0 recast

0 reaction

Doctor pfp

Add Subresource Integrity (SRI) checking to external scripts As third-party or external scripts can be easily manipulated, checking their integrity before fetching them from the external server is one of the most essential JavaScript security best practices.

0 reply

0 recast

0 reaction

Doctor pfp

Audit dependencies using a package manager To keep third-party JavaScript security vulnerabilities in check, you need to track all the packages you’re using on your website. You can do this by using a package manager such as npm, Yarn, or pnpm.

1 reply

0 recast

0 reaction

Doctor pfp

The three most well-known JavaScript linters are JSHint, JSLint, and ESLint. Modern source code editors, such as Visual Studio Code and Atom, also come with pluggable JavaScript linting functionality.

0 reply

0 recast

0 reaction

Doctor pfp

JavaScript security best practices To help you protect yourself and your users, we’ve put together a JavaScript security checklist that includes a couple of best practices and recommends some tools that can help you eliminate common vulnerabilities and prevent malicious attacks against your website or application.

0 reply

0 recast

0 reaction

Doctor pfp

Third-party security vulnerabilities Some of these tools, such as React by Facebook, are developed and maintained by large corporations, and reliably fix issues and follow JavaScript security best practices. However, many of them are by indie developers or smaller teams that don’t always have the resources to regularly audit or update their code.

0 reply

0 recast

0 reaction

Doctor pfp

Third-party security vulnerabilities In front-end development, we use many third-party tools and libraries that are open to all kinds of JavaScript exploits.

0 reply

0 recast

0 reaction