Fix XSS in API Responses in Micronaut
XSS in APIs isn't just a frontend problem. If your Micronaut controller reflects unsanitized input with a 'text/html' or 'text/plain' Content-Type, or fails to enforce 'application/json', you're handing an attacker an execution primitive. The goal: Force strict data types and ensure the browser never interprets your API response as a renderable document.
The Vulnerable Pattern
@Controller("/v1/api")
public class ProfileController {
@Get("/echo")
@Produces(MediaType.TEXT_HTML) // Fatal mistake: API serving HTML
public String echo(@QueryValue String input) {
return "" + input + ""; // Direct string concatenation
}
}The Secure Implementation
The vulnerability stems from 'Content-Type' confusion and lack of output encoding. By setting '@Produces(MediaType.TEXT_HTML)', you tell the browser to parse the response as HTML, allowing ' @Get("/safe-echo") @Produces(MediaType.TEXT_HTML) public String safeEcho(@QueryValue String input) { return "<div>" + org.owasp.encoder.Encode.forHtmlContent(input) + "</div>"; }
}
Your API Responses API
might be exposed to XSS
74% of API Responses apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.