Authentication verifies the identity of the user. Basically, most of the Web authentication scheme falls into two kinds stateless and stateful.

Stateful Authentication

If the webserver stores data in the server memory and uses it to identify the user as an always-connected client, the service is called Stateful. There are different types of Stateful Authentication.

1. Basic HTTP Authentication

Basic HTTP Authentication transmits credentials as user ID/password pairs encoded using base64. It is stateful authentication. The user submits login credentials (username and password)

HTTP authentication scheme

Authorization: <type> <credentials> 
Authorization: Basic userid:password
Authorization: Basic QUFBQUFBQUF:CQkJCQkJCQkI=

The username and password are concatenated with a colon (:) in…


This article is for beginners who want to learn about Browser security headers and concepts. Let’s get started! 😃

Prerequisite knowledge: HTML basics and How HTTP request works

Pic by Pc mac

1. Http Strict Transport Security Header (HSTS)

HSTS tells the browser that it should always connect over HTTPS, even for the initial request. HSTS is easy to enable on the web page but at the same time, it is easy to overlook. If attackers try to change HTTPS to HTTP it automatically redirected to https, if HSTS is enabled.

For instance


7. Set-Cookie Header

What is a Cookie? why do we need to set up in the HTTP header?

For example, let’s assume the user is returning user in some website,

Step1 → The user submits login credentials (username and password)

Step2 → The Server verifies the credentials against the Database,

Step3 → The server creates a temporary user session and issues a cookie with the Session ID,

Step4 → The user sends the cookie with each request, ( because HTTP is stateless, so each request is considered as a new request)

Step5 → The Server validates it against the session store & grants…


Cross-site scripting is a classic well-known type of attack that is possible because some software applications take user input in an insecure way. This happens via search fields, survey forms, cookies, and online web forms.

Types → Reflected XSS, Stored XSS, and DOM XSS.

  1. Reflected XSS → This attack occurs when a malicious script is reflected in the website’s results.

For Instance,

An attacker gives your web application JavaScript tags on input(<script type=’text/javascript’>alert(‘Possible XSS’);</script>

When this input is returned to the user unsanitized, the user’s browser will execute it. It can be as simple as crafting a link and inducing…

Kamesh Karmegam

Security Engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store