This article is for beginners who want to learn about Browser security headers and concepts. Let’s get started! 😃

Prerequisite knowledge: HTML basics and How HTTP request works

1. Http Strict Transport Security Header (HSTS)

HSTS tells the browser that it should always connect over HTTPS, even for the initial request. HSTS is easy to enable on the web page but at the same time, it is easy to overlook. If attackers try to change HTTPS to HTTP it automatically redirected to https, if HSTS is enabled.

For instance

7. Set-Cookie Header

What is a Cookie? why do we need to set up in the HTTP header?

For example, let’s assume the user is returning user in some website,

Step1 → The user submits login credentials (username and password)

Step2 → The Server verifies the credentials against the Database,

Step3 → The server creates a temporary user session and issues a cookie with the Session ID,

Step4 → The user sends the cookie with each request, ( because HTTP is stateless, so each request is considered as a new request)

Step5 → The Server validates it against the session store & grants…

Cross-site scripting is a classic well-known type of attack that is possible because some software applications take user input in an insecure way. This happens via search fields, survey forms, cookies, and online web forms.

Types → Reflected XSS, Stored XSS, and DOM XSS.

1. Reflected XSS → This attack occurs when a malicious script is reflected in the website’s results.

For Instance,

An attacker gives your web application JavaScript tags on input(<script type=’text/javascript’>alert(‘Possible XSS’);</script>

When this input is returned to the user unsanitized, the user’s browser will execute it. It can be as simple as crafting a link and inducing…