Web Security Basics Cheat Sheet

Updated 2026-03-10

Next Topic: Wireless Security Cheat Sheet

Web security encompasses the practices and controls that protect web applications from attacks that threaten confidentiality, integrity, and availability. In the modern threat landscape, where applications process sensitive data and connect users across untrusted networks, defending against injection attacks, authentication bypasses, and misconfigurations is no longer optional—it's a fundamental requirement. Understanding how attackers exploit common vulnerabilities like XSS, CSRF, and SQL injection, and knowing the concrete patterns and headers that prevent them, equips developers to build systems that resist both automated scanning and targeted exploitation.

What This Cheat Sheet Covers

This topic spans 20 focused tables and 159 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Injection Attack TypesTable 2: XSS Attack VariantsTable 3: SQL Injection PreventionTable 4: Cross-Site Request Forgery (CSRF) ProtectionTable 5: Authentication Best PracticesTable 6: Password SecurityTable 7: HTTP Security HeadersTable 8: Content Security Policy DirectivesTable 9: Input Validation and SanitizationTable 10: Session SecurityTable 11: Access Control and AuthorizationTable 12: Encryption and Data ProtectionTable 13: API SecurityTable 14: Common VulnerabilitiesTable 15: File Upload SecurityTable 16: Security Testing MethodsTable 17: Same-Origin Policy and CORSTable 18: Error Handling and LoggingTable 19: Web Application Firewall (WAF)Table 20: Secure Development Practices

Table 1: Injection Attack Types

Attack	Example	Description
SQL Injection	`SELECT * FROM users WHERE id = '$input'`	• Malicious SQL code inserted through user input that manipulates database queries • prevented by parameterized queries and prepared statements.
Cross-Site Scripting (XSS)	`<script>alert(document.cookie)</script>`	• Injection of malicious JavaScript into web pages viewed by other users • executes in victim's browser context enabling session theft and account takeover.
XML External Entity (XXE)	`<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>`	• Exploits XML parsers to access local files or trigger server-side requests • prevented by disabling external entity processing in XML parsers.
Server-Side Request Forgery (SSRF)	`http://app.com/fetch?url=http://169.254.169.254/`	• Tricks server into making requests to internal resources or cloud metadata endpoints • requires URL allowlisting and internal IP blocking.

Table 1: Injection Attack Types

Attack	Example	Description
SQL Injection	`SELECT * FROM users WHERE id = '$input'`	• Malicious SQL code inserted through user input that manipulates database queries • prevented by parameterized queries and prepared statements.
Cross-Site Scripting (XSS)	`<script>alert(document.cookie)</script>`	• Injection of malicious JavaScript into web pages viewed by other users • executes in victim's browser context enabling session theft and account takeover.
XML External Entity (XXE)	`<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>`	• Exploits XML parsers to access local files or trigger server-side requests • prevented by disabling external entity processing in XML parsers.
Server-Side Request Forgery (SSRF)	`http://app.com/fetch?url=http://169.254.169.254/`	• Tricks server into making requests to internal resources or cloud metadata endpoints • requires URL allowlisting and internal IP blocking.