Cross-site scripting (XSS) is one of the most intractable security vulnerabilities in web applications. Tons of efforts has been spent to mitigate XSS, yet it remains one of the most prevalent security threats on the Internet.

This paper presents our experience with preventing DOM-based XSS in a large software development organization through a safe-by-design engineering paradigm. Our approach, named \emph{API hardening}, enforces organization-wide safe coding practices. We provide a set of secure-by-design APIs to replace native DOM APIs that are prone to XSS vulnerabilities. These APIs and their implementations ensure, through a combination of type contracts and appropriate validation and escaping, that applications based thereon are free of XSS vulnerabilities. We deploy a straightforward compile-time security checker to ensure that developers exclusively use our hardened APIs to interact with the DOM. We make various of efforts to scale this approach to tens of thousands of software engineers without significant productivity impact. By offering rigorous tooling and consultant support, we help developers adopt the safe coding practices as seamlessly as possible. We present empirical results showing how API hardening has helped reduce the occurrences of XSS vulnerabilities in the organization’s code base over the course of two-year deployment.