Common web security terms and concepts a frontend developer should know.
Same-Origin Policy
A browser policy limiting the ability of a page from reading resources from different origins. Two resources are from the same origin only if they have the same protocol, host, and port.
CORS
The Cross-Origin Resource Sharing
system for circumventing the same-origin policy when a cross-origin request is necessary. A server can allow cross-origin requests by including the Access-Control-Allow-Origin
header.
Cross-Site Scripting Attack(XSS)
A common security vulnerability, also known as XSS
, where an attacker is able to run code on a vulnerability site, thus circumventing the same-origin policy. There are a few common forms of cross-site scripting:
Persistent:
A vulnerability that persists beyond a single session, usually from the attacker storing malicious code in the vulnerable database. A common example of this is leaving a comment with code that when appended to the page by the client is executed.
Non-persistent:
A vulnerability that does not persist beyond a single session, usually when an attacker takes advantage of how the client processes a URL query parameter to execute malicious code on the client.
DOM-based:
A vulnerability that happens exclusively on the frontend without any need for sending data to the server, thus making the attack harder to track.
Cross-Site Request Forgery Attack(CSRF)
A common security vulnerability, also known as CSRF
, where an attacker sends a request to a server and is able to convince the server it was sent by their client. CSRF attacks can usually be prevented by using a CSRF token, a unique token given to the client that a forged request would not be able to replicate.
OAuth
Open Authorization, a common standard for service authorization. Services can use OAuth to allow users to give other services specific API access to portions of their accounts.
JSON Web Token(JWT)
A standard for signed JSON tokens, oftentimes referred to by its abbreviation JWT
. JSON Web Tokens have three sections:
- A header with information about the encryption algorithm used.
- The payload data.
- The signature, which is created by the server using a secret key so that it can determine if it has been tampered with.