XSRF Protection

Some web browser applications are vulnerable to XSSI injection attacks. These are achieved by including executable JavaScript within JSON response objects.

The standard approach to prevent this attack is to prefix all JSON responses with the characters )]}',\n.

As XSSI injection attacks are only successful if the JSON is executable, by prefixing all JSON responses with the required string all JSON is sanitized and no longer executable.

It is expected that the client handles the removal of any additional characters in order to transfer the non-executable JSON back into a parsable JSON data structure.