Skip to main content

Important Terms

CORS

  • Cross origin resource sharing (CORS) blocks unintended sites from fetching contents of legitimate site.
  • Example:
    • If bank.com setup CORS that does not allow any external resource sharing access then attacker with malicious.com website cannot fetch data from bank.com.
    • Attacker can still write python script that can fetch data from bank.com however due to CORS attacker cannot setup malicious.com that uses JS to fetch data.
    • This protection is provided by the browser to protect User data such as cookies.
  • These flags makes cookies secure
  • Secure: Ensures cookies are sent only on HTTPS protocol
  • HTTPOnly: JS cannot access cookie. Prevents XSS cookie stealing attack.
  • SameSite: Prevents CSRF. Values include
    • Strict: Cross site cannot access cookie and user redirected from cross site to original site cannot access cookie on original site. Required to visit original site (no redirection) to access the cookie.
    • Lax: Cross site cannot access cookie on original site, but user redirected from cross site to original site can access cookie on original site.
    • None: Cross site can access cookie on original site and redirected user can access cookie of original site.

Security Headers

  • These are directives to the browser that follows the response header that secures the website.
  • CSP/content-security-policy: Restricts where scripts, images and styles can load from. Mitigates XSS as attacker cannot source external (untrusted) scripts.
  • HSTS/(HTTP Strict Transport Security): Prevents HTTPS downgrade. Forces browser to use HTTPS.
  • X-Frame-Options: Prevents clickjacking by disallowing your site to be used in iframe.
  • X-Content-Type-Options: Prevents browser from guessing the content type of file uploads preventing MIME type attacks.