Is your website vulnerable to XSS attacks?

After launching Cloud War Games and starting to promote it I found someone tried, unsuccessfully, to run an XSS attack on me.

They used a tool called “XSS.report” which has a few pre-built prompts you can inject into forms and http requests. It contains a bit of HTML/JS that will send back traffic to their servers. This can grab anything ranging from the full HTML of a page to the browser’s cookies and local storage for the victim website. That could include login credentials.

Luckily the party that tried it on me seemed harmless enough actually, almost like a professional courtesy. Another tech professional trying to flush any vulnerabilities before the bad guys could.

But in the wrong hands a real XSS attack could cause some really expensive and painful problems.

What are you doing to prevent XSS attacks on your website?