Web Security
Everything on SkillVeris tagged Web Security — collected across the glossary, study notes, blog, and cheat sheets.
25 resources across 2 libraries
Study Notes(1)
Interview Questions(24)
What Techniques Prevent SQL Injection?
SQL injection is prevented primarily by using parameterized queries (or prepared statements) so user input is always bound as data and never concatenated into…
Difference Between HTTP and HTTPS
HTTP (HyperText Transfer Protocol) transfers web data in plain text, while HTTPS is the same protocol running over a TLS-encrypted connection — so HTTPS adds e…
How Do Cookies Work Over HTTP?
A cookie is a small piece of state a server asks a browser to store via the `Set-Cookie` response header, which the browser then automatically re-attaches on t…
What is CORS and How Does It Work?
CORS (Cross-Origin Resource Sharing) is a browser-enforced security mechanism that lets a server explicitly declare, via HTTP response headers, which other ori…
HTTPS vs HTTP: What Security Does HTTPS Add?
HTTPS is HTTP layered on top of TLS, adding encryption, integrity, and server authentication that plain HTTP has none of — meaning HTTPS traffic cannot be read…
Cookies vs Sessions vs JWT
A cookie is a small piece of data the browser stores and sends back with each request; a session keeps user state on the server and uses a cookie holding only…
What is CORS?
CORS (Cross-Origin Resource Sharing) is a browser security mechanism that lets a server explicitly permit web pages from one origin to make requests to a diffe…
What is the Same-Origin Policy?
The Same-Origin Policy (SOP) is a browser security rule that restricts scripts on one origin (scheme, host, and port) from reading data from a different origin…
What is CSRF?
CSRF (Cross-Site Request Forgery) is an attack where a malicious site tricks a victim's browser into sending an authenticated request to another site the victi…
What is XSS?
XSS (Cross-Site Scripting) is a vulnerability where an attacker injects malicious JavaScript into a page viewed by other users, letting that script run with th…
What is Content Security Policy (CSP)?
Content Security Policy (CSP) is an HTTP response header that tells the browser which sources of scripts, styles, images, and other resources are allowed to lo…
What Is Clickjacking and How Do You Prevent It?
Clickjacking is an attack where a malicious page overlays or embeds a legitimate site inside a transparent or disguised iframe, tricking a user into clicking o…
What Is SQL Injection and How Do You Prevent It?
SQL injection is a vulnerability where an attacker supplies crafted input that gets concatenated directly into a SQL query string, causing the database to exec…
What Are the Secure and HttpOnly Cookie Attributes?
The Secure attribute tells the browser to send a cookie only over HTTPS connections, and the HttpOnly attribute tells the browser to hide the cookie from JavaS…
What Is the SameSite Cookie Attribute and How Does It Prevent CSRF?
SameSite is a cookie attribute that tells the browser whether to include the cookie on requests originating from a different site than the one that set it, and…
What Is Subresource Integrity (SRI)?
Subresource Integrity is a browser security feature where you attach a cryptographic hash of an expected file to a script or stylesheet tag so the browser refu…
What Are JWT Security Best Practices?
Secure JWT usage means always validating the signature with a fixed, expected algorithm on the server, keeping tokens short-lived with refresh rotation, storin…
What Is a Session Fixation Attack and How Do You Prevent It?
Session fixation is an attack where an attacker sets or predicts a victim’s session identifier before login and then, once the victim authenticates using that…
What Is HTTPS and What Causes Mixed Content Errors?
HTTPS is HTTP layered over TLS, encrypting and authenticating traffic between browser and server, and mixed content occurs when a page loaded securely over HTT…
What Are HTTP Security Headers and Why Do They Matter?
HTTP security headers are response headers a server sends to instruct the browser to enable or restrict specific behaviors — such as blocking inline scripts, r…
How Do CSP Nonces Prevent Inline Script Injection?
A CSP nonce is a random, single-use token the server generates per response and embeds both in the Content-Security-Policy header and as a nonce attribute on e…
What Does the Referrer-Policy Header Control?
The Referrer-Policy header controls how much information about the current page’s URL the browser includes in the Referer header when the user navigates away o…
What Is the Permissions-Policy Header Used For?
The Permissions-Policy header lets a site explicitly enable or disable powerful browser features — such as the camera, microphone, geolocation, or autoplay — f…
What Is the Trusted Types API and How Does It Prevent DOM XSS?
The Trusted Types API is a browser-enforced mechanism, activated via a CSP directive, that blocks a page’s dangerous DOM sinks — like innerHTML or eval — from…