XSS (Cross-Site Scripting) Protection
High SeverityWhat This Check Measures
This check evaluates protection against Cross-Site Scripting (XSS) attacks — where attackers inject malicious scripts into web pages viewed by other users.
Why It Matters
- Session Hijacking — Attackers can steal user session cookies
- Credential Theft — Fake login forms can capture passwords
- Malware Distribution — Injected scripts can redirect to malicious sites
- Defacement — Page content can be modified for visitors
- Keylogging — User keystrokes can be captured
How Data Is Obtained
Source File
src/checks/safety.check.js
Function
SafetyCheck.analyze(url)
Current Implementation
// References the Security section for CSP header analysis
checks.push({
name: 'XSS (Cross-Site Scripting) Protection',
status: 'info',
description: 'CSP headers provide XSS protection (see Security section)',
severity: 'high'
});Related Check
For actual XSS protection analysis, see the Security Headers Agent (security.check.js) which examines:
Content-Security-Policy(CSP) headerX-XSS-Protectionheader (deprecated but still checked)X-Content-Type-Optionsheader
Status Values
| Status | Meaning |
|---|---|
| info | This check is informational. XSS protection is primarily evaluated through CSP headers in the Security section. |
Severity: High
This check has high severity because:
- XSS attacks can compromise user accounts
- They're common and often automated
- Impact ranges from annoyance to complete account takeover
- They can be used as stepping stones for larger attacks
Types of XSS Attacks
Stored XSS
Malicious script is permanently stored on the target server (e.g., in a database). Affects all users who view the infected content.
Reflected XSS
Script is reflected off a web server in error messages, search results, or URL parameters. Requires user to click a malicious link.
DOM-based XSS
Vulnerability exists in client-side JavaScript that processes user input unsafely. Server never sees the malicious payload.
Protection Mechanisms
How to Protect Against XSS
- Content Security Policy (CSP) — Restrict script sources via HTTP header
- Output Encoding — Escape user input when rendering HTML
- Input Validation — Sanitize and validate all user inputs
- HTTPOnly Cookies — Prevent JavaScript access to session cookies
- X-Content-Type-Options — Prevent MIME type sniffing
- Modern Frameworks — Use frameworks with built-in XSS protection (React, Vue, Angular)
Impact on Category Score
Currently returns info status with neutral impact. For XSS protection scoring, the Security Headers Agent evaluates CSP and other protective headers.