OWASP Top 10
beginnerDefinition
A short, regularly updated list of the ten most common ways websites get hacked. It's put together by a respected security organization and acts as the industry's checklist of 'don't get caught by these.' Most websites that get breached fall victim to one of these very familiar mistakes.
In the wild
Before launching a new website, a small team runs through the OWASP Top 10 like a pre-flight checklist. 'Are we checking who's allowed to do what? Are we storing passwords safely? Are we cleaning the inputs from forms?' Each item ticked off closes a common door that attackers walk through.
More from Security
Content Security Policy (CSP)
A whitelist that a website hands to the browser, saying 'only run code, fonts, and images from these places I trust: refuse anything else.' If an attacker manages to slip a sneaky script onto the page, the browser blocks it because it didn't come from an approved source.
CSRF (Cross-Site Request Forgery)
An attack that abuses the fact that you're already logged into a site. A different, sneaky page tricks your browser into sending a request to that trusted site on your behalf. And the site thinks it's you, because your login is still valid.
DDoS (Distributed Denial of Service)
An attack where a huge crowd of computers all hammer the same website at once, drowning it in fake traffic until real visitors can't get through. The attacker doesn't break in. They just make so much noise that nobody else can be heard.
Encryption vs Hashing
Two ways of protecting data, often confused. Encryption scrambles information with a key: anyone with the key can unscramble it later. Hashing is a one-way blender: it turns the data into a fixed scramble that can never be turned back. Payment details are encrypted (the company needs to read them). Passwords are hashed (nobody, not even the company, should be able to read them).
HTTPS / TLS
The technology that puts the little padlock in your browser's address bar. It scrambles all the traffic between your device and the website, so anyone snooping on the connection, at a coffee shop, on a hotel Wi-Fi, only sees nonsense. It also confirms that the site really is who it claims to be, not an imitation.
Input Sanitization
Carefully cleaning anything a visitor types into a website before doing anything with it: stripping out tricks, rejecting weird formats, and making sure the data is what you expected. It's the front-line defense against attackers who try to slip dangerous instructions into ordinary-looking form fields.