The key here is to focus on how your user-generated content could escape the bounds you expect and be interpreted by the browser as something other that what you intended.
This is similar to defending against SQL injection.
Be careful with how much information you give away in your error messages.
Provide only minimal errors to your users, to ensure they don't leak secrets present on your server (e.g. Don't provide full exception details either, as these can make complex attacks like SQL injection far easier.
Another powerful tool in the XSS defender's toolbox is Content Security Policy (CSP).
CSP is a header your server can return which tells the browser to limit how and what Java Script is executed in the page, for example to disallow running of any scripts not hosted on your domain, disallow inline Java Script, or disable eval().
Everyone knows they should use complex passwords, but that doesn’t mean they always do.
It is crucial to use strong passwords to your server and website admin area, but equally also important to insist on good password practices for your users to protect the security of their accounts.
Here are our top nine tips to help keep you and your site safe online.
It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site secure.
This applies to both the server operating system and any software you may be running on your website such as a CMS or forum.
When website security holes are found in software, hackers are quick to attempt to abuse them.
The majority of website security breaches are not to steal your data or mess with your website layout, but instead attempts to use your server as an email relay for spam, or to set up a temporary web server, normally to serve files of an illegal nature.