Secure Yourself From Xss Attacks

Another way to protect your website from hacking is Cross-site scripting (XSS). Cross-site scripting (XSS) attacks inject malicious JavaScript into your pages, so when users are browsing your website, their data gets leaked and is received by the attacker.

This can be explained with an example, if you show comments on a page without validation, then an attacker might submit comments containing script tags and JavaScript, which could run in every other user's browser and steal their login cookie, allowing the attack to take control of the account of every user who viewed the comment.

To prevent this situation you need to ensure that users cannot inject active JavaScript content into your pages.
You can use powerful tools such as Content Security Policy (CSP). CSP is a header your server can return which tells the browser to limit how and what JavaScript is executed in the page.

This will not let attacker's scripts to work, even if they can get them into your page.