Web Security
Every web application is a target. Web security is the practice of protecting applications, users, and data from attack. The Open Web Application Security Project (OWASP) maintains an influential list of the most critical risks (OWASP Top 10). This chapter surveys key threats and defences.
Cross-Site Scripting
XSS injects malicious JavaScript into pages viewed by other users. Stored, reflected, and DOM-based variants exist. Defences include escaping output with htmlspecialchars, setting Content Security Policy (CSP) headers, avoiding innerHTML with untrusted data, and using framework template auto-escaping.
SQL Injection
SQL injection manipulates queries by injecting malicious SQL via user input. Bypassing login with ' OR '1'='1 is the classic example. The cure is prepared statements with bound parameters — never concatenate user input into SQL. ORMs that use prepared statements internally are a safe default.
Cross-Site Request Forgery
CSRF tricks an authenticated user's browser into making unintended requests to a vulnerable site. Per-session, per-form CSRF tokens and the SameSite cookie attribute are primary defences. Sensitive actions should use POST, not GET.
Authentication and Passwords
Authenticate users with hashed passwords, not plaintext. Use password_hash() with bcrypt or Argon2, and password_verify() to check. Enforce reasonable password policies, implement rate limiting and account lockout, and support multi-factor authentication (MFA) for sensitive accounts.
Session Security
Regenerate session IDs after privilege changes (login, password reset). Set cookies with HttpOnly, Secure, and SameSite. Expire sessions after inactivity. Protect session storage on the server. Never embed session IDs in URLs.
HTTPS and TLS
HTTPS encrypts traffic with TLS, preventing eavesdropping and tampering. Use valid certificates from a trusted CA (Let's Encrypt is free). Redirect HTTP to HTTPS. Set HSTS to force HTTPS on compliant browsers. Certificate pinning is useful for high-security contexts.
Authorization and Access Control
After authentication, authorization decides what a user may do. Enforce checks on every sensitive endpoint, on the server side. Role-based access control (RBAC) and attribute-based access control (ABAC) are common models. Broken access control is the top OWASP risk.
Security Misconfiguration
Default credentials, verbose error messages, exposed .git directories, and unnecessary services are classic misconfigurations. Keep software up to date, minimize attack surface, and follow hardening checklists for your web server and database.
File Uploads and Validation
Treat uploaded files as dangerous. Validate MIME type, size, and extension. Store uploads outside the web root or behind authentication. Never execute user-provided files. Scan for malware in sensitive environments.
Logging and Monitoring
Log security-relevant events (logins, failures, permission changes). Monitor for anomalies and set alerts. Without logging, breaches go undetected. Protect logs from tampering and keep them long enough for forensic analysis.
Summary
Web security requires defence in depth: validate input, escape output, use prepared statements, protect authentication and sessions, enforce HTTPS, and keep systems patched. Following OWASP guidelines and framework security features closes most avenues of attack.