How to Block HTML in forms (XSS) on Heroku

Why you might need this

Cross-Site Scripting (XSS) attacks are one of the most frequent types of attacks executed against web applications. Typically malicious Javascript code is injected into an application through a form endpoint that is improperly sanitizing inputs.

Once the code has been injected, it can be used to steal data from users, launch malware and other nefarious and damaging activity.

Prerequisites

What you need to get started:

  1. Expedited WAF add-on is setup in front of your application.

How To Stop XSS Attacks

On the Stop Attacks page of your Expedited WAF dashboard, select the Stop Suspected Attacks option.

Notes

  • If you have forms on your site that allow HTML or Javascript inputs you may need to exempt those URLs from checking.
  • Stopping suspected attacks is a an additional layer of security on your site and should function alongside solid development practices, patching and testing

Resources

More reading and framework resources on prevention of XSS attacks

General

Framework

Try Expedited WAF.
Get a Free Tee.

Option 1: Install Expedited WAF (the Web Application Firewall service that shields your Heroku applications from attacks) from the Heroku Elements Marketplace..

Seven days later we'll ask for some feedback and your (US or Canada only) shipping details.

Option 2: Select a Date & Time below to talk to us about your existing web application security framework and see how Expedited WAF can help better secure your Heroku applications.