Fix XSS in API Responses in CodeIgniter

XSS in API responses occurs when an application reflects unsanitized user input in a response body without setting the correct 'Content-Type' header. In CodeIgniter, failing to use the Response object allows browsers to potentially sniff the content as HTML, leading to script execution. As a researcher, I see this most often when devs use 'echo' instead of the framework's response handlers.

The Vulnerable Pattern

public function profile() {
    $username = $this->request->getGet('user');
    // VULNERABLE: Direct echo without explicit Content-Type header.
    // If a victim visits /profile?user=, some browsers may render it.
    echo json_encode(['status' => 'success', 'message' => 'Welcome ' . $username]);
}

The Secure Implementation

The fix relies on two layers: Header Enforcement and Output Encoding. Using '$this->response->setJSON()' forces the 'Content-Type: application/json' header, which instructs modern browsers not to parse the response as HTML. Additionally, using 'esc()' or ensuring 'json_encode' is used prevents raw injection. To harden this further, always implement a 'Content-Security-Policy' (CSP) and set the 'X-Content-Type-Options: nosniff' header in your CodeIgniter Filters to prevent MIME-sniffing attacks.

public function profile() {
    $username = $this->request->getGet('user');
    // SECURE: Use CI4 Response object. setJSON() automatically sets 
    // 'Content-Type: application/json' and handles encoding.
    return $this->response
                ->setStatusCode(200)
                ->setJSON([
                    'status' => 'success', 
                    'message' => 'Welcome ' . esc($username)
                ]);
}