– use a modern, popular framework, that is developed with security in mind
– don’t use the framework insecurely. Consult the documentation and follow the recommended patterns.
– keep the framework and the dependencies up to date
– read the Security chapter from the documentation of the framework and understand how it prevents XSS
– if there is a need to use the framework in a nontypical way, understand the impact on security
– understand HTML Sanitization and understant to what extent it is achieved by the framework
– understand Output Encoding
– if you don’t use a good framework, or your framework doesn’t protect you out of the box, use specific libraries for Output Encoding.
– be aware that Output Encoding is apply not only to html, but also to js, css and url
– validate, escaped, sanitize
– understand cookie attributes, such as HttpOnly
– use the proper Content Security Policy (CSP)
– have in front a Web Application Firewalls (WAF) that is properly configured
HORATIVS 