href="javascript:alert('unsafe');">click here To prevent this, you’ll need to set the Content Security Policy (CSP) response header. Cross-Site Request Forgery (CSRF) Another big problem is CSRF. This is a very complex https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport- Security Content Security Policy (CSP) Tell the browser where it can load various types of resource from. This header should be used whenever strict policy would be: response.headers['Content-Security-Policy'] = "default-src 'self'" https://csp.withgoogle.com/docs/index.html https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content- Security-Policy

href="javascript:alert('unsafe');">click here To prevent this, you’ll need to set the Content Security Policy (CSP) response header. 3.3.2 Cross-Site Request Forgery (CSRF) Another big problem is CSRF. This is a https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security Content Security Policy (CSP) Tell the browser where it can load various types of resource from. This header should be used whenever strict policy would be: response.headers['Content-Security-Policy'] = "default-src 'self'" • https://csp.withgoogle.com/docs/index.html • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy