Skip to main content

Browser Security

1. XSS (Cross-Site Scripting)

Issue:
Attackers inject malicious JavaScript into web pages, which runs in users’ browsers and can steal data or perform actions as the user.

Examples:

  • Stored XSS: <script> saved in comments or posts
  • Reflected XSS: Malicious script injected via URL parameters
  • DOM-based XSS: Unsafe client-side rendering (e.g. innerHTML)

Prevention:

  • Escape / encode all output
  • Sanitize user input
  • Use secure frameworks (React, Vue)
  • Set a Content Security Policy (CSP) to restrict script sources
  • Use HttpOnly cookies to limit impact

2. CSRF (Cross-Site Request Forgery)

Issue:
A user’s browser is tricked into sending authenticated requests without the user’s intention.

Examples:

  • Hidden image triggers a money transfer
  • Auto-submitted forms from malicious sites

Prevention:

  • Use CSRF tokens
  • Use SameSite cookies (Strict or Lax)
  • Validate Origin / Referer headers
  • Use HTTPS to prevent request tampering

3. Cross-Origin Data Access Abuse

(What Same-Origin Policy (SOP) and CORS are designed to prevent)

Issue:
Malicious websites attempt to read or manipulate data from another origin.

Examples:

  • A script on evil.com tries to read cookies or DOM from bank.com
  • Unauthorized cross-origin API calls from untrusted sites

Prevention:

  • Enforce Same-Origin Policy (SOP) in the browser
  • Use CORS headers to allow only trusted origins
  • Avoid Access-Control-Allow-Origin: * for sensitive APIs

4. Cookie Theft & Session Abuse

Issue:
Attackers steal or misuse cookies to hijack user sessions.

Examples:

  • XSS reads session cookies
  • Cookies sent over HTTP are intercepted

Prevention:

  • Set HttpOnly to block JavaScript access
  • Set Secure flag to enforce HTTPS transfer
  • Use SameSite to limit cross-site sending
  • Always use HTTPS

5. Man-in-the-Middle (MITM)

Issue:
Attackers intercept or modify traffic between browser and server.

Examples:

  • Stealing login credentials over HTTP
  • Injecting malicious scripts into responses

Prevention:

  • Use HTTPS (TLS) everywhere
  • Use HSTS to enforce HTTPS
  • Use CSP to block injected scripts

🧠 Ultra-Short Cheat Sheet

  • XSS → Escape, sanitize, CSP
  • CSRF → Tokens, SameSite
  • Cross-origin abuse → SOP, CORS
  • Cookie abuse → HttpOnly, Secure, SameSite
  • MITM → HTTPS, HSTS