CampusFlow
SecurityWeb Security

Web Security

OWASP Top 10, CORS, CSP, security headers, CSRF, session management, and secure coding practices for web applications.

OWASP Top 10

The 10 most critical web application security risks (2021 edition)

1

Broken Access Control

Failures in enforcing user permissions. Users access unauthorized resources or functions.

2

Cryptographic Failures

Weak encryption, exposed sensitive data, improper key management, or missing HTTPS.

3

Injection

SQL, NoSQL, OS, and LDAP injection where untrusted data is sent to an interpreter.

4

Insecure Design

Missing threat modeling and security controls during design phase of the application.

5

Security Misconfiguration

Default credentials, unpatched systems, enabled directory listing, verbose errors.

6

Vulnerable Components

Using outdated or vulnerable libraries, frameworks, and dependencies.

7

Auth Failures

Weak password policies, credential stuffing, session fixation, missing MFA.

8

Data Integrity Failures

Software updates, CI/CD pipelines, and serialized data without integrity checks.

9

Logging & Monitoring Failures

Insufficient logging, missing alerts, and delayed incident response.

10

SSRF

Server-Side Request Forgery — tricking server into making unauthorized internal requests.

CORS (Cross-Origin Resource Sharing)

A browser security mechanism for controlled cross-origin access

How CORS Works

  1. Browser enforces same-origin policy — blocks cross-origin requests by default
  2. For cross-origin requests, browser adds Origin header
  3. Server responds with Access-Control-Allow-Origin header
  4. Browser checks if the origin matches the allowed value
  5. Preflight requests (OPTIONS) are sent for complex requests

Important CORS Headers

  • Access-Control-Allow-Origin: * | https://example.com
  • Access-Control-Allow-Methods: GET, POST, PUT
  • Access-Control-Allow-Headers: Content-Type, Authorization
  • Access-Control-Allow-Credentials: true
  • Access-Control-Max-Age: 86400

Content Security Policy (CSP)

A defense-in-depth mechanism to prevent XSS and data injection attacks

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com; style-src 'self' 'unsafe-inline'; img-src *; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.example.com; frame-ancestors 'none'; form-action 'self';
default-src

Fallback for all resource types not explicitly specified

script-src

Controls which scripts can execute (inline, eval, external sources)

style-src

Controls which stylesheets and inline styles are allowed

img-src

Controls allowed sources for images

frame-ancestors

Controls which sites can embed the page in frames (prevents clickjacking)

report-uri / report-to

Sends violation reports to a specified endpoint

Security Headers

HTTP response headers that enhance browser security

HeaderPurposeExample Value
Strict-Transport-SecurityForce HTTPS connectionsmax-age=31536000; includeSubDomains
X-Frame-OptionsPrevent clickjacking via iframesDENY
X-Content-Type-OptionsPrevent MIME type sniffingnosniff
Referrer-PolicyControl referrer info in requestsstrict-origin-when-cross-origin
Permissions-PolicyRestrict browser API accesscamera=(), microphone=(), geolocation=()
Content-Security-PolicyComprehensive resource controldefault-src 'self'

Secure Headers Checklist

Strict-Transport-Security (HSTS) with long max-age
X-Frame-Options: DENY or SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy with restrictive rules
Referrer-Policy set to strict values
Permissions-Policy limiting sensitive APIs
No Server header or minimal info
Set-Cookie with Secure, HttpOnly, SameSite flags

CSRF (Cross-Site Request Forgery)

An attack that forces an authenticated user to perform unwanted actions

Attack Flow

  1. User logs into legitimate site (e.g., bank.com) — gets a session cookie
  2. User visits attacker's malicious site without logging out
  3. Malicious site auto-submits a form to bank.com transferring money
  4. Browser automatically includes the session cookie with the request
  5. Server sees a valid request from an authenticated user — executes it

Prevention

  • Anti-CSRF tokens: Unique, unpredictable tokens in forms
  • SameSite cookies: Set SameSite=Lax or Strict
  • Origin/Referer validation: Check request origin on server
  • Custom headers: Require X-Requested-By header for AJAX
  • Double-submit cookie pattern
  • Re-authentication for sensitive actions

CSRF vs XSS: CSRF exploits trust the server has in the browser. XSS exploits trust the browser has in the server. CSRF does not require the attacker to see the response — they just need to trigger the action.

Session Management

Handling user sessions securely

Secure Session IDs

Session IDs should be long, random, and generated using cryptographically secure pseudo-random number generators (CSPRNG).

Session Expiry

Implement absolute and idle timeouts. Destroy sessions on logout and regenerate IDs after login to prevent session fixation.

Cookie Security Flags

Set Secure (HTTPS only), HttpOnly (not accessible via JavaScript), and SameSite (prevents CSRF) flags on session cookies.

Session Storage

Store sessions server-side (Redis, database) rather than in JWTs or client-side storage. This allows invalidation and revocation.

Secure Coding Practices

Validate and sanitize all user inputs on the server side
Use parameterized queries / ORM to prevent SQL injection
Encode output to prevent XSS (context-appropriate encoding)
Use HTTPS everywhere — redirect HTTP to HTTPS
Implement proper authentication with MFA support
Use the principle of least privilege for all components
Keep dependencies updated — use SCA tools
Never trust client-side validation — always validate server-side
Use proper error handling — don't leak stack traces
Implement rate limiting and brute-force protection
Log security events with sufficient detail
Conduct regular security reviews and penetration testing

Interview Questions

Common web security interview questions with answers