WarDek is a complete compliance suite that combines an OWASP vulnerability scanner with NIS2, AI Act and GDPR compliance modules, specially designed for European SMEs.

Is my company subject to NIS2?

The NIS2 directive applies to essential and important entities in sectors such as energy, healthcare, transport, digital, etc. Use our free simulator to check.

How should I use WarDek reports in an audit?

WarDek reports provide a practical working base for your team, auditor, or compliance preparation. They are not an official certification or legal opinion.

How long does a scan take?

A complete OWASP scan typically takes between 2 and 5 minutes depending on the complexity of your website.

Absolutely. We never store your credentials. Reports are encrypted and you can delete them at any time. We are hosted in France.

Can I try before I buy?

Yes! The Free plan lets you test WarDek with 3 scans per month, no credit card required.

XSS Protection: Complete Guide to Securing Your Website

Cross-Site Scripting — XSS — consistently ranks in the OWASP Top 10 most critical web vulnerabilities. It is one of the most widespread attack vectors on the web today, yet many developers still underestimate it. This guide breaks down how XSS works, shows real attack scenarios, and gives you concrete techniques to protect your website.

What Is an XSS Attack?

XSS occurs when an attacker injects malicious JavaScript into a web page that other users then load. The browser trusts the page's origin, executes the injected code, and the attacker can steal session cookies, redirect users, log keystrokes, or deface the page entirely.

There are three main variants:

Reflected XSS — The malicious script is embedded in a URL. The victim clicks a crafted link, the server echoes the payload back in the response, and the browser executes it. Classic example: a search page that renders a query parameter without HTML encoding.

Stored XSS — The payload is saved in the database (comment, profile bio, support ticket) and rendered every time someone views that content. Far more dangerous because it runs automatically for every visitor.

DOM-based XSS — The vulnerability lives entirely in client-side JavaScript. The page reads attacker-controlled data from location.hash or document.referrer and writes it directly into the DOM without sanitization.

Why XSS Is Still So Dangerous in 2026

Modern applications have more attack surface than ever. Rich text editors, user-generated content, third-party widgets, and single-page apps that manipulate the DOM dynamically all introduce new injection points. A single stored XSS in an admin panel can lead to a full account takeover or a supply chain attack affecting thousands of end users.

NIST's National Vulnerability Database lists hundreds of new XSS CVEs each year. Even mature frameworks occasionally ship with XSS vulnerabilities in their component libraries.

The Six Core Defenses

1. Output Encoding — The Non-Negotiable Baseline

Every piece of data rendered in HTML must be encoded for the correct context:

HTML context: encode <, >, &, ", '
JavaScript context: use JSON.stringify() or a dedicated encoder
URL context: use encodeURIComponent()
CSS context: avoid dynamic CSS values from user input entirely

Most modern frameworks (React, Vue, Angular) encode by default when you use standard templating. Dangerous patterns are explicit: raw HTML injection props in React, v-html in Vue, property binding to innerHTML in Angular. Treat these like a code smell — every usage requires a security review.

2. Input Validation — Reject at the Door

Validate all inputs against an allowlist of expected values and formats. A date field should only accept ISO date strings. A username should only contain alphanumeric characters and hyphens. Reject or sanitize anything outside the expected format before it touches your database.

Validation is not a substitute for output encoding — it is a defense-in-depth layer.

3. HTML Sanitization for Rich Content

When you genuinely need to accept HTML (rich text editors, markdown rendered as HTML), use a server-side sanitization library that operates on a strict allowlist:

Node.js: DOMPurify (also works client-side), sanitize-html
Python: bleach, nh3
Java: OWASP Java HTML Sanitizer

Allowlist only the tags and attributes your use case requires. Never use a denylist — attackers find bypass vectors faster than you can patch them.

4. Content Security Policy (CSP)

CSP is a browser-side defense that restricts which scripts can execute on your page. A strict CSP prevents most XSS payloads from running even when an injection vulnerability exists.

Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{RANDOM}'; object-src 'none'; base-uri 'self';

Use nonces for inline scripts rather than unsafe-inline. Rotate nonces per request. Start with Content-Security-Policy-Report-Only to audit your policy before enforcing it.

See our full CSP guide and the secure HTTP headers guide for implementation details.

5. HttpOnly and Secure Cookie Flags

If your session token cannot be read by JavaScript, XSS cannot steal it. Set HttpOnly on all authentication cookies. Pair it with Secure (HTTPS only) and SameSite=Strict or SameSite=Lax to reduce CSRF risk. See the OWASP API Security Top 10 for the full auth hardening checklist.

6. Regular Automated Scanning

Static defenses can drift. Dependencies get updated, new features get added, someone commits an unsafe HTML binding without review. Automated vulnerability scanning catches regressions before attackers do.

Common Mistakes to Avoid

Trusting front-end validation only. JavaScript validation is trivially bypassed with DevTools or curl. Always validate and encode server-side.

Assuming your framework handles everything. Frameworks protect you when you use their APIs correctly. The moment you drop into raw DOM manipulation or template interpolation with explicit unsafe flags, you are on your own.

Forgetting third-party widgets. An ad script, a chat widget, or an embedded analytics snippet runs with full page privileges. Vet third-party scripts carefully and use Subresource Integrity (SRI) hashes where possible.

Ignoring stored XSS in admin interfaces. Internal tools are not lower risk — a stored XSS in your admin panel can give an attacker access to every user account in your system.

Quick Assessment Checklist

[ ] All user-supplied data encoded for its render context
[ ] No raw HTML injection without sanitization
[ ] CSP header deployed and tested
[ ] HttpOnly + Secure + SameSite flags on session cookies
[ ] Automated XSS scanning integrated into your CI pipeline
[ ] Third-party scripts reviewed and SRI hashes configured

Detect XSS Vulnerabilities Before Attackers Do

Manual review and checklists only go so far. WarDek's automated security scanner tests your website against OWASP's most critical vulnerability categories — including XSS — and generates a prioritized report you can act on immediately. No setup required: enter your URL and get results in minutes.

Combine automated scanning with the defenses in this guide and you eliminate the vast majority of XSS risk from your application surface.