Web Security

This section is mostly aimed at developers wishing to create secure web applications.


Cross-Origin Resource Sharing (CORS)
Learn how Cross-Origin Resource Sharing (CORS) can be used to relax the same origin policy when required.
Same Origin Policy
The heart of the browser security model. Learning about the SOP is important if you want to understand the different client-side attacks and defenses.

Attacks & Prevention

Learn about clickjacking attacks and defenses.
Learn about cross-site request forgery (CSRF) attacks and defenses.
Learn about man-in-the-middle (MITM) attacks and defenses.
Session Fixation
Learn about session fixation attacks and defenses.
SQL Injection
Learn about SQL injection attacks and defenses.
Learn about tabnabbing attacks and defenses.
Learn about cross-site information leak attacks and defenses.
Learn about cross-site scripting (XSS) attacks and defenses.
Learn about XML External Entity (XXE) attacks and defenses.

Cookie Security

Clearing Cookies
Learn how to clear cookies properly.
HttpOnly Cookies
Lean how the HttpOnly cookie attribute can protect the cookies from XSS attacks.
SameSite Cookies
Learn how SameSite cookies can protect your web application against CSRF, XSS, cross-site information leaks and more.
Secure Cookies
Learn how the Secure cookie attribute can protect the cookies from MITM attacks.
Cookie names matter! Learn about the __Host-prefix.

Security Headers

Learn about allowing cookies in CORS (Cross-Origin-Request-Sharing)
Learn about allowing non-whitelisted headers in CORS (Cross-Origin-Request-Sharing)
Learn about allowing non-whitelisted methods in CORS (Cross-Origin-Request-Sharing)
Learn about allowing origins in CORS (Cross-Origin-Request-Sharing)
Learn how the CSP (Content Security Policy) header can protect your web application from XSS attacks.
Learn how the Cross-Origin Opener Policy (COOP) can protect your web application from cross-site information leaks.
Learn how the Cross-Origin Resource Policy can protect your web application from cross-site information leaks and other client-side attacks.
Fetch Metadata Headers
Learn how the new fetch metadata headers can be used to defend against cross-site attacks like never before.
Learn how the HSTS (HTTP Strict Transport Security) header can protect your web application from MITM attacks.
Learn how the X-Frame-Options can prevent other websites from framing your page.

Tools & Resources

CSP Tool
An in-browser tool for creating, modifying and analyzing CSP (Content Security Policy) headers.
Security Feature Browser Support
Up-to-date browser support tables for the most important security features.
Web Application Security Checklist
A 70+ step guide for securing a modern web application, including the development lifecycle, infrastructure and architecture.