| > As a developer, I feel like I have more control over mitigating CSRF then XSS. Your feeling is correct. Let me put it this way: You mitigate SQL injection effectively by making sure no data (user input) can affect the code (SQL query). i.e. Prepared statements. There is no analogous equivalent for defeating XSS. You have to escape output. https://paragonie.com/blog/2015/06/preventing-xss-vulnerabil... Escaping input for SQL injection "works", but has failed pretty hard in the past: http://stackoverflow.com/a/12118602/2224584 (Character encoding, for the lose.) By comparison, CSRF is trivial. You use a token that only the client should know, and implement a trivial challenge/response authentication layer onto your HTTP POST APIs, make sure you're using TLS, and call it a day. |