tag
web
2 articles with this tag
2026-06-08
What is XSS (Cross-Site Scripting) — code running in someone else's browser
XSS makes an attacker-supplied string run 'as script' in another user's browser — straight to session theft and impersonation. The real defense is escaping on output. Don't disable your framework's auto-escaping.
2026-06-08
What is CSRF (Cross-Site Request Forgery) — making a logged-in user act without meaning to
CSRF makes a logged-in user's browser send an unintended action, abusing the browser's habit of auto-attaching cookies. The real defense is CSRF tokens plus SameSite cookies. Never use GET for state changes.