Security for the Web
On this page I will cover web security specifically.
Dealing with Security Vulnerabilities
Best Practices for Mitigation
Don't just try to reason about what a hacker might do. The way to protect yourself is to look up how to mitigate each vulnerability. As an example, let's say you want to protect against path traversal vulnerabilities. You know you shouldn't allow '../' in paths. So you write code to remove '../' from paths. This is not enough as the hacker could pass '.../...//', which would yield '../' after removing '../'. Read more on the CWE-22 page. It is always safest to follow standard ways when implementing security.
Web Standards
Content Security Policy (CSP)
Content Security Policy (CSP) allows whitelisting sources of content that are allowed to be loaded. Helps prevent XSS attacks. CSP supersedes X-Frame-Options.
Cross-Origin Resource Sharing (CORS)
Cross-Origin Resource Sharing (CORS) can allowlist websites (origins) that are allowed to access a resource. By default, the browser prevents scripts on the page from accessing resources on other domains. CORS allows you to configure what other domains are allowed to access the resource. This is done by setting the Access-Control-Allow-Origin header. The flow looks like this:
- The browser sends a request with
Origin: https://example.comto the server. - The server looks at the
Originheader and checks its CORS policy. If it approves, the server sets theAccess-Control-Allow-Origin: https://example.comheader in the response. - The browser looks at the
Access-Control-Allow-Originheader and allows the request to proceed, if its value matches its origin.
For requests using methods other than GET, POST, or HEAD, or POST requests with a Content-Type other than application/x-www-form-urlencoded, multipart/form-data, or text/plain, or if the request has a custom header, the browser will send a preflight request to the server. The preflight request will be an OPTIONS request with the following headers: Origin, Access-Control-Request-Method, Access-Control-Request-Headers. If the server approves, it responds with 200 OK.
HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS) is a security header that tells the browser to only connect to the server using HTTPS.
Subresource Integrity (SRI)
Subresource Integrity (SRI) is a parameter a developer can add to a script tag to ensure that the script has not been tampered with. This is commonly used when loading scripts from a CDN.
XSS, CSRF, and SSRF
Comparison
XSS and CSRF are both client-side attacks, while SSRF is a server-side attack. XSS attacks are executed by injecting malicious code into a web page of another user. It can be used to extract information from the browser's context (e.g., cookies, DOM). With CSRF, the attacker crafts a malicious request (e.g., an HTML image tag, an auto-submitting form, or a link) and tricks an authenticated user into loading it. Since the user is logged into the target application, their browser automatically includes their session cookies with the forged request, which the trusted site then executes as a legitimate user action. SSRF attacks are executed by manipulating a request such that, when executed, it causes the server to make a request to an unintended site.
XSS -- Cross-Site Scripting
XSS -- inject code into a web page of another user. Extract information from the browser's context (e.g., cookies, DOM).
CSRF -- Cross-Site Request Forgery
CSRF -- forge a request to a trusted site on behalf of an authenticated user. Cause authenticated actions to occur.
SSRF -- Server-Side Request Forgery
SSRF -- forge a request to an unintended site on behalf of an authenticated user.
The OWASP Top 10
The OWASP Top 10 is a list of the most common security vulnerabilities affecting web applications. For each category, OWASP lists the most common vulnerabilities, which they number using the Common Weakness Enumeration (CWE). Examples are XSS, SQL injection, and CSRF.
A01:2025 - Broken Access Control
Common weaknesses include:
See full list of CWEs for broken access control.A02:2025 - Security Misconfiguration
Common weaknesses include:
- CWE-260 Password in Configuration File
- CWE-489 Active Debug Code
- CWE-526 Exposure of Sensitive Information Through Environmental Variables
A03:2025 - Software Supply Chain Failures
Common weaknesses include:
- CWE-1035 Using Components with Known Vulnerabilities
- CWE-1104 Use of Unmaintained Third Party Components
- CWE-1395 Dependency on Vulnerable Third-Party Component
A04:2025 - Cryptographic Failures
Common weaknesses include:
- CWE-326 Inadequate Encryption Strength
- CWE-332 Insufficient Entropy in PRNG
- CWE-759 Use of a One-Way Hash without a Salt
A05:2025 - Injection
Common weaknesses include:
- CWE-89 SQL Injection
- CWE-78 OS Command Injection
- CWE-94 Improper Control of Generation of Code ('Code Injection', includes XSS)
A06:2025 - Insecure Design
Common weaknesses include:
- CWE-311 Missing Encryption of Sensitive Data
- CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
- CWE-602 Client-Side Enforcement of Server-Side Security
A07:2025 - Authentication Failures
Common weaknesses include:
- CWE-259 Use of Hard-coded Password
- CWE-295 Improper Certificate Validation
- CWE-1392 Use of Default Credentials
A08:2025 - Software or Data Integrity Failures
Common weaknesses include:
- CWE-506 Embedded Malicious Code
- CWE-427 Uncontrolled Search Path Element
- CWE-565 Reliance on Cookies without Validation and Integrity Checking
A09:2025 - Logging & Alerting Failures
Common weaknesses include:
- CWE-117 Improper Output Neutralization for Logs
- CWE-532 Insertion of Sensitive Information into Log File
- CWE-778 Insufficient Logging
A10:2025 - Mishandling of Exceptional Conditions
Common weaknesses include:
- CWE-209 Generation of Error Message Containing Sensitive Information
- CWE-252 Unchecked Return Value
- CWE-280 Improper Handling of Insufficient Permissions or Privileges