How to protect your Web applications from XSS

The W3C Security Web Application Guidelines (SWAG) Community Group seeks to make it easier for developers to leverage security features that are often complex in their application development.

SWAG launched in June 2024 after the W3C Workshop "Secure the Web Forward". One of the workshop’s findings, and some accompanying developer research presented there, is that web developers are generally unsure about security and their role in ensuring that web apps are secure. This group’s mission, therefore, is “to increase the overall security of web application development by writing security best practices for web developers and providing a platform for stakeholder collaboration.” In the same manner as that workshop, SWAG is intended to be connected to other organizations that share a similar mission, such as the OpenSSF Best Practices Group, OpenJS Foundation, and OWASP.

One of the first results of SWAG’s efforts is a set of videos addressing the complexities of Content Security Policy and Trusted Types. These two features can be used as effective XSS mitigations but, unfortunately, are difficult to configure due to the breadth of the threats they mitigate and the fact that they are time-consuming to debug.

Six talks introduce open-source tooling developed from Google’s large-scale CSP and Trusted Types adoption work. These tools, which serve as a natural interface between developers and the specifications, provide actionable help in a tight feedback loop during the development cycle to reduce the uncertainty and complexity of configuring these best-in-class web security mitigations against XSS. The experience of Google engineers who have shipped strict CSP and Trusted Types to hundreds of web applications is distilled into tools that provide best practices and gentle guidance toward a more secure codebase.

SWAG meets every week and those talks were recorded during the meeting of 11 November 2024. The 6 videos are available via the "Security at W3C" playlist on W3C's YouTube channel.