Web Security

This section is mostly aimed at developers wishing to create secure web applications.

Basics

Cross-Origin Resource Sharing (CORS)
Learn how Cross-Origin Resource Sharing (CORS) can be used to relax the same origin policy when required.
Same Origin Policy
The heart of the browser security model. Learning about the SOP is important if you want to understand the different client-side attacks and defenses.

Attacks & Prevention

Clickjacking
Learn about clickjacking attacks and defenses.
CSRF
Learn about cross-site request forgery (CSRF) attacks and defenses.
MITM
Learn about man-in-the-middle (MITM) attacks and defenses.
Session Fixation
Learn about session fixation attacks and defenses.
SQL Injection
Learn about SQL injection attacks and defenses.
Tabnabbing
Learn about tabnabbing attacks and defenses.
XS-Leaks
Learn about cross-site information leak attacks and defenses.
XSS
Learn about cross-site scripting (XSS) attacks and defenses.
XXE
Learn about XML External Entity (XXE) attacks and defenses.

Cookie Security

Clearing Cookies
Learn how to clear cookies properly.
HttpOnly Cookies
Lean how the HttpOnly cookie attribute can protect the cookies from XSS attacks.
SameSite Cookies
Learn how SameSite cookies can protect your web application against CSRF, XSS, cross-site information leaks and more.
Secure Cookies
Learn how the Secure cookie attribute can protect the cookies from MITM attacks.
__Host-Prefix
Cookie names matter! Learn about the __Host-prefix.

Security Headers

Access-Control-Allow-Credentials
Learn about allowing cookies in CORS (Cross-Origin-Request-Sharing)
Access-Control-Allow-Headers
Learn about allowing non-whitelisted headers in CORS (Cross-Origin-Request-Sharing)
Access-Control-Allow-Methods
Learn about allowing non-whitelisted methods in CORS (Cross-Origin-Request-Sharing)
Access-Control-Allow-Origin
Learn about allowing origins in CORS (Cross-Origin-Request-Sharing)
Content-Security-Policy
Learn how the CSP (Content Security Policy) header can protect your web application from XSS attacks.
Cross-Origin-Opener-Policy
Learn how the Cross-Origin Opener Policy (COOP) can protect your web application from cross-site information leaks.
Cross-Origin-Resource-Policy
Learn how the Cross-Origin Resource Policy can protect your web application from cross-site information leaks and other client-side attacks.
Fetch Metadata Headers
Learn how the new fetch metadata headers can be used to defend against cross-site attacks like never before.
Strict-Transport-Security
Learn how the HSTS (HTTP Strict Transport Security) header can protect your web application from MITM attacks.
X-Frame-Options
Learn how the X-Frame-Options can prevent other websites from framing your page.

Tools & Resources

CSP Tool
An in-browser tool for creating, modifying and analyzing CSP (Content Security Policy) headers.
Security Feature Browser Support
Up-to-date browser support tables for the most important security features.
Web Application Security Checklist
A 70+ step guide for securing a modern web application, including the development lifecycle, infrastructure and architecture.