Web Security

This section is mostly aimed at developers wishing to create secure web applications.

Basics

Cross-Origin Resource Sharing (CORS)

Learn how Cross-Origin Resource Sharing (CORS) can be used to relax the same origin policy when required.

Same Origin Policy

The heart of the browser security model. Learning about the SOP is important if you want to understand the different client-side attacks and defenses.

Attacks & Prevention

Clickjacking

Learn about clickjacking attacks and defenses.

CSRF

Learn about cross-site request forgery (CSRF) attacks and defenses.

MITM

Learn about man-in-the-middle (MITM) attacks and defenses.

Session Fixation

Learn about session fixation attacks and defenses.

SQL Injection

Learn about SQL injection attacks and defenses.

Tabnabbing

Learn about tabnabbing attacks and defenses.

XS-Leaks

Learn about cross-site information leak attacks and defenses.

XSS

Learn about cross-site scripting (XSS) attacks and defenses.

XXE

Learn about XML External Entity (XXE) attacks and defenses.

Cookie Security

Clearing Cookies

Learn how to clear cookies properly.

HttpOnly Cookies

Lean how the HttpOnly cookie attribute can protect the cookies from XSS attacks.

SameSite Cookies

Learn how SameSite cookies can protect your web application against CSRF, XSS, cross-site information leaks and more.

Secure Cookies

Learn how the Secure cookie attribute can protect the cookies from MITM attacks.

__Host-Prefix

Cookie names matter! Learn about the __Host-prefix.

Security Headers

Access-Control-Allow-Credentials

Learn about allowing cookies in CORS (Cross-Origin-Request-Sharing)

Access-Control-Allow-Headers

Learn about allowing non-whitelisted headers in CORS (Cross-Origin-Request-Sharing)

Access-Control-Allow-Methods

Learn about allowing non-whitelisted methods in CORS (Cross-Origin-Request-Sharing)

Access-Control-Allow-Origin

Learn about allowing origins in CORS (Cross-Origin-Request-Sharing)

Content-Security-Policy

Learn how the CSP (Content Security Policy) header can protect your web application from XSS attacks.

Cross-Origin-Opener-Policy

Learn how the Cross-Origin Opener Policy (COOP) can protect your web application from cross-site information leaks.

Cross-Origin-Resource-Policy

Learn how the Cross-Origin Resource Policy can protect your web application from cross-site information leaks and other client-side attacks.

Fetch Metadata Headers

Learn how the new fetch metadata headers can be used to defend against cross-site attacks like never before.

Strict-Transport-Security

Learn how the HSTS (HTTP Strict Transport Security) header can protect your web application from MITM attacks.

X-Frame-Options

Learn how the X-Frame-Options can prevent other websites from framing your page.

Tools & Resources

CSP Tool

An in-browser tool for creating, modifying and analyzing CSP (Content Security Policy) headers.

Security Feature Browser Support

Up-to-date browser support tables for the most important security features.

Web Application Security Checklist

A 70+ step guide for securing a modern web application, including the development lifecycle, infrastructure and architecture.