Pádraic Brady just posted “20 Point List For Preventing Cross-Site Scripting In PHP“. This is a thorough list of steps you should take when developing a Web site to prevent Cross-Site Scripting (XSS) attacks. Arguably, it would have been useful to include the explanations for some of these, but then the post could have been too long (and one less likely to actually be read). In any case, it’s worth a quick look through. I particularly like the following recommendations:
- Never forget to validate data arriving from an untrusted origin using relevant rules for the context it’s used in.
- Remember that anything not explicitly defined in source code has an untrusted origin.
- Never include resources loaded over unsecured HTTP on a page loaded over HTTPS.
- Adopt the Content Security Policy (CSP) header and abandon the use of inline CSS and Javascript where feasible.
- Ensure that cookies which must only be transmitted over HTTPS are marked Secure.