Security
Common attacks on websites and the everyday defenses that stop them
Content Security Policy (CSP)
intermediateA whitelist that a website hands to the browser, saying 'only run code, fonts, and images from these places I trust: refuse anything else.' If an attacker manages to slip a sneaky script onto the page, the browser blocks it because it didn't come from an approved source.
CSRF (Cross-Site Request Forgery)
intermediateAn attack that abuses the fact that you're already logged into a site. A different, sneaky page tricks your browser into sending a request to that trusted site on your behalf. And the site thinks it's you, because your login is still valid.
DDoS (Distributed Denial of Service)
intermediateAn attack where a huge crowd of computers all hammer the same website at once, drowning it in fake traffic until real visitors can't get through. The attacker doesn't break in. They just make so much noise that nobody else can be heard.
Encryption vs Hashing
intermediateTwo ways of protecting data, often confused. Encryption scrambles information with a key: anyone with the key can unscramble it later. Hashing is a one-way blender: it turns the data into a fixed scramble that can never be turned back. Payment details are encrypted (the company needs to read them). Passwords are hashed (nobody, not even the company, should be able to read them).
HTTPS / TLS
beginnerThe technology that puts the little padlock in your browser's address bar. It scrambles all the traffic between your device and the website, so anyone snooping on the connection, at a coffee shop, on a hotel Wi-Fi, only sees nonsense. It also confirms that the site really is who it claims to be, not an imitation.
Input Sanitization
beginnerCarefully cleaning anything a visitor types into a website before doing anything with it: stripping out tricks, rejecting weird formats, and making sure the data is what you expected. It's the front-line defense against attackers who try to slip dangerous instructions into ordinary-looking form fields.
Multi-Factor Authentication (MFA)
beginnerLogging in with more than just a password. Usually it's something you know (the password) plus something you have (a phone, an authenticator app, a security key) or something you are (your fingerprint or face). Even if a thief steals your password, they can't get in without that second piece.
OWASP Top 10
beginnerA short, regularly updated list of the ten most common ways websites get hacked. It's put together by a respected security organization and acts as the industry's checklist of 'don't get caught by these.' Most websites that get breached fall victim to one of these very familiar mistakes.
Principle of Least Privilege
intermediateGive every person, app, and service the smallest set of permissions they need to do their job. And nothing more. The point is to limit the damage if any one of them ever gets hacked or makes a mistake. A compromised account can only break what it was allowed to touch.
Same-Origin Policy
intermediateA built-in browser rule that says code running on one website is not allowed to peek at the data of a different website. It's one of the most important security boundaries on the web: without it, any random site you visit could quietly steal information from any other site you happen to be logged into.
Secrets Management
beginnerThe careful way teams handle the sensitive things their apps need: passwords, API keys, signing tokens. The rules: never paste them into the code, never email them around, store them in a locked-down vault, and only hand them to the app at the moment it actually runs.
SQL Injection
beginnerAn old but devastating attack where someone types a database command into a normal-looking form field. If the website sloppily glues that text straight into its database queries, the attacker's command runs: letting them read, change, or even delete every record. It's prevented by treating user input strictly as data, never as instructions.
XSS (Cross-Site Scripting)
beginnerAn attack where someone sneaks harmful code into a website you trust: usually by typing it into a comment box or form field. When other people visit the page, the bad code runs in their browser as if the website itself put it there. It's prevented by treating anything users type as plain text, never as instructions.
Zero Trust
advancedA security mindset that says 'don't automatically trust anyone, even inside the building.' Every person and every device has to prove who they are and what they're allowed to do for every important action: instead of being given a free pass just because they're connected to the company Wi-Fi.