Security
Security Overview
These notes cover web security from principles to practical vulnerabilities, including defense strategies and best practices for building secure applications.
Core Concepts
- Web - Security headers, same-origin policy, CSP, trusted types, crypto, and user privacy
- Sandbox - Snapshot, proxy, and iframe sandbox techniques
- Zero Trust - Zero trust architecture and access control
Common Vulnerabilities
Injection Attacks
- XSS - Cross-site scripting attacks and protections
- CSRF - Cross-site request forgery attacks and protections
- SQL Injection - SQL injection attacks and protections
- Command Injection - Command injection attacks and protections
- HTTP Injection - HTTP injection including malicious redirects and header injection
- Object Injection - Object injection attacks and insecure object comparison
- XML - XML bombs and external entity attacks
Authentication and Session
- Authentication - Password attacks, user enumeration, and authentication protections
- Session - Session hijacking and fixation protections
Miscellaneous Vulnerabilities
- Click Jacking - Clickjacking attacks and frame busting
- File Upload - File upload injection attacks and protections
- Directory Traversal - Directory traversal attacks and protections
- Information Leakage - Information leakage attacks and protections
- Denial of Service - DoS, DDoS, and ReDoS attacks and protections
Supply Chain
- Supply Chain - Supply chain attacks, malicious packages, and protection strategies
LLM Security
- Prompt Injection - Prompt injection attacks in AI/LLM applications
Best Practices
- Best Practices - Security principles, defensive programming, checklist, and references