XSS and Server-Side Rendering: Where Teams Still Get Burned
Server-side rendering feels safer than shipping a giant client-side app. A lot of HTML is generated on the server, templates usually escape output by default, and there is less obvious DOM manipulation in the browser. That safety is real, but people overestimate it. I’ve seen teams say “we use SSR, so XSS isn’t really a concern.” Then you look at the code and find raw HTML helpers, unquoted attributes, JSON blobs jammed into <script> tags, and a CSP that exists only in a slide deck. SSR reduces some attack surface. It does not remove the core problem: if untrusted data lands in the wrong output context without the right encoding, you still have XSS. ...