Security - Metastem/Wikiless GitHub Wiki

Wikiless takes security seriously and uses multiple redundant measures to prevent XSS attacks on the client.

• Templating engine is used for many variables that automatically sanitizes them and prevents any rogue code from being executed
• Many variables are internally sanitized with Go's html.EscapeString() API when being directly served to the client
• Strict XSS prevention headers are sent to the client on every non-static file request
• CSPs are added on every page that denies all scripts from running, either first-party or otherwise, and default to none, preventing third-party connections, iframe attacks, inline attacks, etc.