I had the same question when I created two applications using EXPRESS, one on the MVC architecture and the other on REST API. Basically, if Voce chooses a path (MVC or REST), it prevents you from CSRF, but leaves you vulnerable to XSS, and vice versa.
In your case, if Voce uses architecture stateful
in Adonis, the library shield
. If you’re in an architecture stateless
, Since you are responsible for the front-end as well, to protect yourself from XSS attacks, the application script (client or server side) must always escape (clean so to speak), the user input before writing it to HTML or the database (for example transform <
in <
, >
in >
, and so on. ). If Voce uses frameworks like Angular, it promotes this feature of "wiping" user data by default, preventing XSS attack.
If you use React.js, Windows never manipulates the DOM directly, so your application is also protected against XSS attacks. React prevents us from injecting HTML code directly into our components. It renders HTML as a string. This is great, but sometimes we need to insert HTML code into our components. At this point, it depends on the developer’s attention, attention and testing during coding to build an invulnerable XSS code.
This link talks about how to prevent XSS attack in Reactjs.
Now, if the front end is not your responsibility, I think you should have a long talk with the team responsible for the front.
This material "Your API-Centric Web App Is Probably Not Safe Against XSS and CSRF" talks about how to protect yourself from CSRF and XSS and the pos and cons of using Token
, Web Storage
andAuthorization Header
and Session cookie
.
I hope I helped, because that’s what I discovered by researching and I’m very willing to know more about the subject in case someone wants to comment on my reply.
I don’t understand why it was marked as too broad. The question has a well-defined context, preventing XSS and CSRF attacks on stateless API using the Adonis framework.
– Filipe Moraes