How to prevent Cross-Site Script Inclusion

Secret Tokens

This option is similar to the idea of protection from CSRF attack. When you connect Javascript to the URL in GET parameter, a secret token is added. The server can check it, but an attacker can not forge. If the value of the token is correct, then the server returns the contents of a file, otherwise it generates an error, for example, HTTP response with a 4xx code.

<script src="//site.com/config.js?csrfToken=f5dd46b319e7f8b97f9630140c905471></script>

With this approach, secret data will be transferred in GET parameter, which is a bad design of the system. Any data passed through GET parameters can be obtained by an attacker if he can access web browser's history.

Sorry, but this is part of
Web-security course

Web-security course

  • Actual web attacks with examples
  • A wrong ways of preventing attacks
  • Security methods guaranties elimination of attacks
  • Quizzes for the material fixation

  Explore Time Of Check – Time Of Use →