You can avoid cross site scripting attacks with a whitelist of sources of trusted content in HTTP header.
For example, this content security policy (CSP) for a web page only allows MY APP domain, Google Analytics and APIs:
For more information, see CSP (Content Security Policy) for Web Applications in the What's New in LANSA Version14 SP2 guide.