I am developing an express application that serves as a REST api with a web client and may be future mobile clients. I use Oauth 2.0 Token Authentication for both clients. This gives great protection against CSRF. I want to know How to provide protection against XSS .
* I made the token validity period very short, requiring a request from the client with refresh_tokens and other client data for access_tokens. This makes it a little safe, but not completely *.
I am worried that client_id and client_secret are stolen as it is present in the javascript front-end code and used by another client for verification. I am thinking about using JWT to authenticate the client , will it be useful?
This sanitation is another issue that I am confused about. There are modules like validator , express-validator , which give a regular expression. According to this blog post, JSON Schema validation is fast. In REST Api, JSON will be used for data exchange, so I wandered why I can’t use modules like tv4 or any other JSON Schema Validators to validate the data I don’t ask for suggestions to use something, I just want Know the main difference in the types of validations that each of them provides, and especially in terms of XSS protection and sanitation.
source
share