Skip to content

Revise security guidelines for XSS and CSR #1307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Oct 21, 2025
Merged

Revise security guidelines for XSS and CSR #1307

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4b246b6
Revise security guidelines for XSS and CSR
titoBouzout Oct 20, 2025
b8facc6
Merge branch 'main' into patch-12
kodiakhq[bot] Oct 20, 2025
46e1a3d
Merge branch 'main' into patch-12
kodiakhq[bot] Oct 20, 2025
ec69787
Merge branch 'main' into patch-12
kodiakhq[bot] Oct 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions src/routes/solid-start/guides/security.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,13 @@ However, this protection does not apply when using [`innerHTML`](/reference/jsx-

To protect your application from XSS attacks:

- Set a [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).
- Validate and sanitize user inputs, especially form inputs on the server and client.
- Avoid using `innerHTML` when possible.
If necessary, make sure to sanitize user-supplied data with libraries such as [DOMPurify](https://github.com/cure53/DOMPurify).
- Validate and sanitize user inputs, especially form inputs on the server and client.
- Set a [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).
- Sanitize attributes containing user-supplied data within `<noscript>` elements.
This includes both the attributes of the `<noscript>` element itself and its children.
- When URLs are provided or constructed via user input validate its `origin` and `protocol` (to avoid evaluating code via `javascript:` URLs) using the [URL](https://developer.mozilla.org/en-US/docs/Web/API/URL) API.

It is highly recommended to read the [Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) for further guidance.

Expand Down Expand Up @@ -135,7 +136,7 @@ export default createMiddleware({

## CSRF (Cross-Site Request Forgery)

To prevent CSRF attacks, a middleware can be used to block untrusted requests:
To prevent basic CSRF attacks, a middleware can be used to block untrusted requests:

```tsx
import { createMiddleware } from "@solidjs/start/middleware";
Expand Down Expand Up @@ -193,6 +194,7 @@ export default createMiddleware({
```

This example demonstrates a basic CSRF protection that verifies the `Origin` and `Referer` headers, blocking requests from untrusted origins.
**Please note both of these headers can be forged.**
Additionally, consider implementing a more robust CSRF protection mechanism, such as the [Double-Submit Cookie Pattern](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#alternative-using-a-double-submit-cookie-pattern).

For further guidance, you can look at the [Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html).