Hacker TLDR;HTMX Bypasses CSP Bypass: HTMX triggers can be abused to bypass CSP’s via <img src=x hx-on:htmx:load='alert(0)' /> - full writeup below. Client-side response header injection to XSS: HTMX uses certain headers to help instruct the framework for certain behaviours. This can be abused via HX-Redirect: javascript:alert(1) for XSS if you can inject a response header. Bypassing hx-disable: h