Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
XSS vulnerabilities are incredibly serious and we recommend you reference the OWASP Cheat Sheet to learn how you can prevent an attack.
Prevention is just one aspect of an effective security model, though. To prepare for the worst case scenario where an attack is successful, you should ensure your application is configured to minimize the attack's surface area.
Clerk works to minimize the surface area by using HttpOnly cookies to store users' session tokens and prevent them from being leaked during XSS attacks.
HttpOnly is a flag on the Set-Cookie header that is issued by a server to set a cookie in the browser.
Unauthorized access to session tokens is especially problematic because the tokens can be used to take actions on behalf of a user, even after a XSS vulnerability has been resolved. As a result, when session tokens leak, it is recommended you invalidate existing tokens and force users to sign in again.
HttpOnly cookies prevent session tokens from leaking through XSS attacks. Unless your application leaks session tokens another way, there will not be a need to sign your users out after a successful XSS attack.
Other forms of session token storage are susceptible to this issue, so even if you don't use Clerk, we highly recommend avoiding these forms of storage for session tokens:
Cookies without the HttpOnly flag
The setup process for Clerk requires you to set CNAME records in your DNS. These records enable us to set cookies for your domain on your behalf.