What does a Content Security Policy do?
Restricts where scripts, styles, and other resources can be loaded from. Even if an attacker injects a script tag, the browser will not run it if the source is not in the CSP whitelist. Use helmet to set a sane default.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in How to Prevent XSS in Node.js Applications
Cross-Site Scripting. An attacker submits malicious HTML or JavaScript to your app. When another user views it, the script runs in their browser. Can steal sessions, deface the app, or spread worms.
Escape output (React does this by default), strip HTML from input with xss-clean or dompurify, use httpOnly cookies, set a Content Security Policy with helmet, validate input, and sanitize rich text on render. Layer defenses.
If a script does run in the browser, it cannot read httpOnly cookies. The JWT token stored in an httpOnly cookie is safe. This is defense in depth; it does not prevent XSS, but limits the damage.
Still have questions?
Browse all our FAQs or reach out to our support team
