The Foundation: Never Trust User Input

The golden rule of XSS prevention is treating all user input as potentially malicious, regardless of its source. This includes obvious inputs like form fields and URL parameters, but also less obvious sources like HTTP headers, cookies, file names, and data from external APIs or databases. Even data from authenticated users or internal systems should be treated as untrusted, as these sources might be compromised or contain malicious data injected elsewhere.

This principle extends to client-side validation, which should never be relied upon for security. While client-side validation improves user experience by providing immediate feedback, it's easily bypassed by attackers who can modify requests directly. Every piece of data entering your application must be validated server-side, with client-side validation serving only as a convenience feature. Modern browsers' developer tools make bypassing client-side validation trivial, so assuming any client-side security measure is worthless from a security perspective is the safe approach.

Establishing trust boundaries in your application architecture helps maintain this security mindset. Clearly define where untrusted data enters your system and ensure all developers understand these boundaries. Use type systems and data flow analysis tools to track untrusted data through your application. Some teams use naming conventions like prefixing variables containing untrusted data with 'unsafe_' to make the risk visible in code. This constant awareness of data trust levels forms the foundation of effective XSS prevention.