Cross Site Scripting

What It Means

This request attempted to inject malicious JavaScript or HTML that would execute in your visitors’ browsers.

Why It Matters

Cross-site scripting (XSS) attacks target your users, not your server. An attacker injects a script that runs when other visitors load the page, potentially stealing session cookies, redirecting users to phishing sites, or modifying page content. This can lead to account takeovers and data theft affecting your customers.

Common Triggers

Requests containing <script> tags, JavaScript event handlers (like onload or onerror), or encoded script payloads in form inputs and URL parameters. Attackers frequently encode their payloads to evade basic filters.

What To Do

These blocks protect your users from having their sessions hijacked. If legitimate content is being blocked (such as a CMS editor that allows HTML input), use Path Allowlisting to exempt the specific endpoint. See also Blocking HTML in Forms for configuration options.