Skip to content
OWASP Cheat Sheet Series
AJAX Security
Initializing search
OWASP/CheatSheetSeries
OWASP Cheat Sheet Series
OWASP/CheatSheetSeries
Introduction
Index Alphabetical
Index ASVS
Index MASVS
Index Proactive Controls
Index Top 10
Cheatsheets
Cheatsheets
AJAX Security
AJAX Security
Table of contents
Introduction
Client Side (JavaScript)
Use .innerText instead of .innerHTML
Don't use eval(), new Function() or other code evaluation tools
Canonicalize data to consumer (read: encode before use)
Don't rely on client logic for security
Don't rely on client business logic
Avoid writing serialization code
Avoid building XML or JSON dynamically
Never transmit secrets to the client
Don't perform encryption in client side code
Don't perform security impacting logic on client side
Server Side
Use CSRF Protection
Protect against JSON Hijacking for Older Browsers
Review AngularJS JSON Hijacking Defense Mechanism
Always return JSON with an Object on the outside
Avoid writing serialization code Server Side
Services can be called by users directly
Avoid building XML or JSON by hand, use the framework
Use JSON And XML Schema for Webservices
Abuse Case
Access Control
Attack Surface Analysis
Authentication
Authorization
Authorization Testing Automation
Automotive Security.md
Bean Validation
Browser Extension Vulnerabilities
C-Based Toolchain Hardening
CI CD Security
Choosing and Using Security Questions
Clickjacking Defense
Content Security Policy
Cookie Theft Mitigation
Credential Stuffing Prevention
Cross-Site Request Forgery Prevention
Cross Site Scripting Prevention
Cryptographic Storage
DOM Clobbering Prevention
DOM based XSS Prevention
Database Security
Denial of Service
Deserialization
Django REST Framework
Django Security
Docker Security
DotNet Security
Drone Security
Error Handling
File Upload
Forgot Password
GraphQL
HTML5 Security
HTTP Headers
HTTP Strict Transport Security
Infrastructure as Code Security
Injection Prevention
Injection Prevention in Java
Input Validation
Insecure Direct Object Reference Prevention
JAAS
JSON Web Token for Java
Java Security
Key Management
Kubernetes Security
LDAP Injection Prevention
Laravel
Legacy Application Management
Logging
Logging Vocabulary
Mass Assignment
Microservices Security
Microservices based Security Arch Doc
Mobile Application Security
Multifactor Authentication
NPM Security
Network Segmentation
NodeJS Docker
Nodejs Security
OAuth2
OS Command Injection Defense
PHP Configuration
Password Storage
Pinning
Prototype Pollution Prevention
Query Parameterization
REST Assessment
REST Security
Ruby on Rails
SAML Security
SQL Injection Prevention
Secrets Management
Secure Cloud Architecture
Secure Product Design
Securing Cascading Style Sheets
Server Side Request Forgery Prevention
Session Management
Software Supply Chain Security
Symfony
TLS Cipher String
Third Party Javascript Management
Threat Modeling
Transaction Authorization
Transport Layer Protection
Transport Layer Security
Unvalidated Redirects and Forwards
User Privacy Protection
Virtual Patching
Vulnerability Disclosure
Vulnerable Dependency Management
Web Service Security
XML External Entity Prevention
XML Security
XSS Filter Evasion
XS Leaks
Table of contents
Introduction
Client Side (JavaScript)
Use .innerText instead of .innerHTML
Don't use eval(), new Function() or other code evaluation tools
Canonicalize data to consumer (read: encode before use)
Don't rely on client logic for security
Don't rely on client business logic
Avoid writing serialization code
Avoid building XML or JSON dynamically
Never transmit secrets to the client