Last Updated: February 25, 2016
·
1.277K
· jaysoo

Using CSP nonce directive to prevent XSS

String filtering and escaping has been the standard for XSS prevention for some time now. Unfortunately, this approach has many issues.

The good news is that with Content Security Policy, we can fight against XSS using the right tools!

Here's a demonstration of the new nonce directive to prevent any unwanted inline <script>s from executing.

You will need NodeJS and Express framework to run the server.

https://gist.github.com/jaysoo/5691492

Note: This is only available in Chrome as of this writing.