During my time at Gusto as a part of the Application Security team, I’ve been exploring ways to improve defense against Cross-Site Scripting (XSS) in modern web applications.

At Gusto, we primarily use Ruby on Rails and React.js. Individually each framework comes with some XSS protections out of the box, but sharing information between frameworks makes contextual output escaping or encoding more difficult. In other words, the what, when, where and how for escaping user input questions become more difficult to answer.

A Content Security Policy (CSP) allows us to define rules around content as another layer of defense in…


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store