Security Flashcards
How can we handle CSRF (cross site request forgery) attacks?
This is usually handled by adding a token sent from the server to the client to any forms that send data to the server.
Another way to handle this is by adding the SameSite cookie attribute or checking the Origin and Referer headers.
Of course, we could also re-authenticate the user for operations that change sensitive data.
What is clickjacking and how can we handle this vulnerability?
It’s a type of web attack that consists on using an <iframe>, placing it on top of a malicious website and mapping the areas where the user might input sensitive information (such as credentials). The main way to prevent these attacks is to disallow <iframes> making use of the X-Frame-Options or CSP headers or using JavaScript to check the URL and disabling iframe if it's not the same origin.</iframes>
Where should the defense mechanisms be implemented if it’s possible?
It is better to implement security mechanisms in the server side everytime this is possible.
What is XSS? How can it be prevented?
This happens when an attacker injects malicious code into a legitimate website using web scripts.
Web scripts are pieces of code that run on the browser.
Three types: Reflected, Stored and DOM based.
