Security is crucial for modern web applications. Let’s explore essential practices and implementations.
Cross-Site Scripting (XSS) Prevention
// React's built-in XSS prevention
function SafeComponent({ userInput }: { userInput: string }) {
return <div>{userInput}</div>; // React escapes this automatically
}
// Manual escaping when needed
function escapeHtml(unsafe: string) {
return unsafe
.replace(/&/g, "&")
.replace(/</g, "<")
.replace(/>/g, ">")
.replace(/"/g, """)
.replace(/'/g, "'");
}
CSRF Protection
// Express middleware example
app.use(csrf());
// React form with CSRF token
function Form() {
return (
<form method="POST">
<input type="hidden" name="_csrf" value={csrfToken} />
{/* form fields */}
</form>
);
}
Content Security Policy
// Express CSP middleware
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "https:"],
},
}));
Essential Security Measures:
- Input validation and sanitization
- Secure session management
- HTTPS everywhere
- Regular security audits
- Dependency vulnerability scanning