Introduction

    The use of will prevent most XSS problems as it will automatically encode the text.

    Don’t use eval

    eval() function is evil, never use it. Needing to use eval usually indicates a problem in your design.

    Canonicalize data to consumer (read: encode before use)

    When using data to build HTML, script, CSS, XML, JSON, etc. make sure you take into account how that data must be presented in a literal sense to keep its logical meaning.

    Data should be properly encoded before used in this manner to prevent injection style issues, and to make sure the logical meaning is preserved.

    Check out the OWASP Java Encoder Project.

    Don’t rely on client logic for security

    Least ye have forgotten the user controls the client side logic. I can use a number of browser plugging to set breakpoints, skip code, change values, etc. Never rely on client logic.

    Don’t rely on client business logic

    Just like the security one, make sure any interesting business rules/logic is duplicated on the server side less a user bypass needed logic and do something silly, or worse, costly.

    Take a look at the for links.

    Avoid building XML or JSON dynamically

    Just like building HTML or SQL you will cause XML injection bugs, so stay way from this or at least use an encoding library or safe JSON or XML library to make attributes and element data safe.

    Never transmit secrets to the client

    Anything the client knows the user will also know, so keep all that secret stuff on the server please.

    Don’t perform encryption in client side code

    Use TLS/SSL and encrypt on the server!

    Don’t perform security impacting logic on client side

    This is the overall one that gets me out of trouble in case I missed something :)

    Server Side

    Take a look at the Cross-Site Request Forgery (CSRF) Prevention cheat sheet.

    Protect against JSON Hijacking for Older Browsers

    Review AngularJS JSON Hijacking Defense Mechanism

    See the section of the AngularJS documentation.

    Always return JSON with an Object on the outside

    Exploitable:

    Not exploitable:

    Also not exploitable:

    Avoid writing serialization code. Remember ref vs. value types!

    Look for an existing library that has been reviewed.

    Services can be called by users directly

    Even though you only expect your AJAX client side code to call those services the users can too.

    Make sure you validate inputs and treat them like they are under user control (because they are!).

    Avoid building XML or JSON by hand, use the framework

    Use the framework and be safe, do it by hand and have security issues.