Cybersecurity & OWASP Cheatsheet Cheatsheet

🛡️

OWASP Top 10 (2021)

ESSENTIAL

OWASP Top 10 — 2021

#	Vulnerability	Risk
A01	Broken Access Control	CRITICAL
A02	Cryptographic Failures	HIGH
A03	Injection	CRITICAL
A04	Insecure Design	HIGH
A05	Security Misconfiguration	HIGH
A06	Vulnerable Components	HIGH
A07	Auth Failures	CRITICAL
A08	Software & Data Integrity	MEDIUM
A09	Logging & Monitoring Failures	MEDIUM
A10	Server-Side Request Forgery	HIGH

Quick Prevention Summary

Vulnerability	Prevention
Broken Access Control	RBAC, deny by default, check ownership
Crypto Failures	Strong algorithms, proper key mgmt
Injection	Parameterized queries, input validation
Insecure Design	Threat modeling, secure patterns
Misconfiguration	Automated hardening, minimal install
Vulnerable Components	Dependency scanning, updates
Auth Failures	MFA, strong password policy, lockout
SSRF	Allowlist, disable URL redirects

security/access-control.js

// ── A01: Broken Access Control — Prevention ──

// BAD: No authorization check
app.get('/api/users/:id', async (req, res) => {
  const user = await User.findById(req.params.id);
  res.json(user);  // Anyone can access any user!
});

// GOOD: Authorization check + ownership
app.get('/api/users/:id', authenticate, async (req, res) => {
  const user = await User.findById(req.params.id);
  if (!user) return res.status(404).json({ error: 'Not found' });

  // Only admins or the user themselves can access
  if (req.user.role !== 'admin' && req.user.id !== user.id) {
    return res.status(403).json({ error: 'Forbidden' });
  }

  res.json(user);
});

// Prevent IDOR (Insecure Direct Object Reference)
// Use UUIDs instead of sequential IDs
// Implement row-level security in database
// Always verify resource ownership

🚫

Broken Access Control is the #1 vulnerability (2021). Always enforce server-side authorization checks. Never trust client-side role checks. Use deny-by-default: if a role is not explicitly granted access, deny.

💉

Injection Attacks

CRITICAL

security/sql-injection.js

// ── SQL Injection (SQLi) ──

// BAD: String concatenation — VULNERABLE!
const query = `SELECT * FROM users WHERE email = '${req.body.email}'`;
// Attack: email = "' OR '1'='1' --" → returns ALL users

// GOOD: Parameterized queries (prevents SQLi)
const user = await db.query(
  'SELECT * FROM users WHERE email = $1',
  [req.body.email]
);

// GOOD: ORM with parameterized queries
const user = await prisma.user.findUnique({
  where: { email: req.body.email }
});

// ── NoSQL Injection ──
// BAD: Passing user input directly to query
const user = await User.find({ email: req.body.email, password: req.body.password });
// Attack: password = { "$gt": "" } → bypasses password check!

// GOOD: Type checking + schema validation
const user = await User.findOne({
  email: String(req.body.email),
  password: hash,  // compare server-side, never in query
});

// ── Command Injection ──
// BAD: Executing user input
const { exec } = require('child_process');
exec(`ping ${req.body.host}`);
// Attack: host = "google.com; rm -rf /"

// GOOD: Input validation + whitelisting
const allowedHosts = /^[a-zA-Z0-9.-]+$/;
if (!allowedHosts.test(req.body.host)) {
  return res.status(400).json({ error: 'Invalid host' });
}
exec('ping', ['-c', '4', req.body.host]);

// ── XSS (Cross-Site Scripting) ──
// BAD: Rendering user input without escaping
<div dangerouslySetInnerHTML={'{'}__html: userComment{'}'} />
// Attack: <script>stealCookies()</script>

// GOOD: Auto-escaping (React does this by default)
<div>{'{'}userComment{'}'}</div>  // Safe — React escapes

// GOOD: Sanitize if HTML is needed
import DOMPurify from 'dompurify';
const clean = DOMPurify.sanitize(userComment);

security/xss-types.md

# ── XSS Types ──

STORED XSS:
- Malicious input stored in database
- Rendered to other users without escaping
- Most dangerous — persistent
- Prevention: Output encoding, CSP headers

REFLECTED XSS:
- Malicious input in URL/request reflected in response
- Victim clicks crafted link
- Prevention: Output encoding, input validation

DOM-BASED XSS:
- JavaScript modifies DOM with unsanitized data
- Happens entirely client-side
- Prevention: Avoid innerHTML, use textContent

# ── Prevention Checklist
- [ ] Use parameterized queries (no string concatenation)
- [ ] Validate ALL inputs (whitelist approach)
- [ ] Escape outputs (context-aware encoding)
- [ ] Set Content-Security-Policy headers
- [ ] Use HttpOnly cookies (prevent JS access)
- [ ] Sanitize HTML if needed (DOMPurify)

CSRF Prevention

Method	Description
CSRF Token	Hidden form token validated server-side
SameSite Cookie	SameSite=Strict or Lax
Origin Header	Verify Origin matches expected host
Double Submit Cookie	Token in cookie + header, compare
Custom Header	Require X-Requested-With header (AJAX)

Input Validation Principles

Rule	Description
Whitelist	Allow known-good, reject everything else
Type check	Verify expected data type
Length limit	Set maximum length on all fields
Sanitize	Remove/encode dangerous characters
Server-side	NEVER rely on client-side validation only
Schema validation	Use Zod, Joi, Yup for structured data

🚫

SQL injection is still the #1 attack vector. ALWAYS use parameterized queries — never concatenate user input into SQL. Modern ORMs (Prisma, Sequelize, TypeORM) use parameterized queries by default, but raw queries are still vulnerable.

🔑

Authentication Security

AUTH

security/password-hashing.js

// ── Password Hashing (NEVER store plaintext!) ──
const bcrypt = require('bcrypt');
const SALT_ROUNDS = 12;

// Hash password on registration
async function register(email, password) {
  // 1. Validate password strength
  if (password.length < 8) throw new Error('Password too short');

  // 2. Hash with salt (bcrypt generates salt automatically)
  const hash = await bcrypt.hash(password, SALT_ROUNDS);

  // 3. Store hash (NOT the password!)
  await db.query(
    'INSERT INTO users (email, password_hash) VALUES ($1, $2)',
    [email, hash]
  );
}

// Verify password on login
async function login(email, password) {
  const user = await db.query(
    'SELECT * FROM users WHERE email = $1', [email]
  );

  if (!user) {
    // Don't reveal if email exists
    await bcrypt.hash('dummy', 10); // prevent timing attacks
    throw new Error('Invalid credentials');
  }

  // bcrypt.compare is timing-safe
  const valid = await bcrypt.compare(password, user.password_hash);
  if (!valid) throw new Error('Invalid credentials');

  return user;
}

// ── Argon2 (even more secure, OWASP recommended) ──
const argon2 = require('argon2');

async function hashPassword(password) {
  return argon2.hash(password, {
    type: argon2.argon2id,
    memoryCost: 65536,  // 64 MB
    timeCost: 3,        // 3 iterations
    parallelism: 4,     // 4 threads
  });
}

// ── Common Password Mistakes ──
// ❌ MD5, SHA1, SHA256 (too fast, use bcrypt/argon2)
// ❌ No salt (rainbow table attacks)
// ❌ Same salt for all users
// ❌ Storing passwords in logs or error messages
// ❌ Comparing passwords in SQL query (timing attack)

security/jwt-security.js

// ── JWT Security ──
const jwt = require('jsonwebtoken');

// BAD: Weak secret, long expiry, no validation
const token = jwt.sign({ userId }, 'secret', { expiresIn: '365d' });

// GOOD: Strong secrets, short expiry, proper claims
const token = jwt.sign(
  {
    sub: userId,         // subject (who)
    role: user.role,     // authorization
    type: 'access',      // token type
    iat: Math.floor(Date.now() / 1000),  // issued at
  },
  process.env.JWT_SECRET,  // strong random secret (256+ bits)
  {
    expiresIn: '15m',   // short expiry
    issuer: 'api.example.com',
    audience: 'app.example.com',
    algorithm: 'RS256', // asymmetric (preferred) or HS256
  }
);

// ── JWT Security Checklist ──
// - Use RS256 (asymmetric) in production
// - Short expiry for access tokens (15 min)
// - Separate refresh tokens (7 days, httpOnly cookie)
// - Validate ALL claims (sub, exp, iss, aud, type)
// - Rotate refresh tokens on each use
// - Store refresh tokens in database (revoke on logout)
// - Blacklist compromised tokens
// - Don't store sensitive data in payload (visible if decoded)

MFA (Multi-Factor Authentication)

Factor	Example	Security
Knowledge	Password, PIN	Low (phishable)
Possession	Phone, hardware key	Medium
Inherence	Fingerprint, face	High
TOTP	Google Authenticator	Medium-High
FIDO2/WebAuthn	YubiKey, Touch ID	Highest

Session Management

Practice	Description
httpOnly cookies	Prevent JS access to session ID
Secure flag	Only send over HTTPS
SameSite	Strict or Lax (prevent CSRF)
Short expiry	Auto-logout after inactivity
Rotate SID	Regenerate after login
Invalidate	Clear on logout/password change

🚫

Never store passwords in plain text.Use bcrypt (min 12 rounds) or argon2id. The password hash should be unique per user (different salt). On login failure, always return the same generic error — don't reveal if the email exists.

🔐

Encryption & Hashing

CRYPTOGRAPHY

Encryption vs Hashing

Aspect	Encryption	Hashing
Reversible	Yes (with key)	No (one-way)
Purpose	Protect data in transit/rest	Verify integrity
Key	Encryption key	No key (deterministic)
Output size	Same as input (+ padding)	Fixed size
Algorithm	AES-256-GCM, ChaCha20	SHA-256, bcrypt, argon2
Example	Encrypt credit card number	Hash password

Encryption Types

Type	Key	Use Case
Symmetric	Same key (AES-256)	Data at rest, fast
Asymmetric	Public/private (RSA)	Key exchange, signatures
Hybrid	Both (TLS)	HTTPS communication
End-to-end	Client keys (Signal)	Messaging apps

security/encryption.js

const crypto = require('crypto');

// ── AES-256-GCM Encryption (Authenticated Encryption) ──
function encrypt(plaintext, masterKey) {
  const iv = crypto.randomBytes(12);              // 96-bit IV (required)
  const salt = crypto.randomBytes(16);

  // Derive key from master password
  const key = crypto.pbkdf2Sync(masterKey, salt, 100000, 32, 'sha256');

  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
  let encrypted = cipher.update(plaintext, 'utf8');
  encrypted = Buffer.concat([encrypted, cipher.final()]);
  const authTag = cipher.getAuthTag();            // MUST verify auth tag

  return {
    encrypted: encrypted.toString('base64'),
    iv: iv.toString('base64'),
    salt: salt.toString('base64'),
    authTag: authTag.toString('base64'),
  };
}

function decrypt(encryptedData, masterKey) {
  const { encrypted, iv, salt, authTag } = encryptedData;
  const key = crypto.pbkdf2Sync(masterKey, Buffer.from(salt, 'base64'), 100000, 32, 'sha256');

  const decipher = crypto.createDecipheriv(
    'aes-256-gcm',
    key,
    Buffer.from(iv, 'base64')
  );
  decipher.setAuthTag(Buffer.from(authTag, 'base64'));  // Verify integrity

  let decrypted = decipher.update(Buffer.from(encrypted, 'base64'));
  decrypted = Buffer.concat([decrypted, decipher.final()]);
  return decrypted.toString('utf8');
}

// ── Hashing Functions ──
// SHA-256 (general purpose, NOT for passwords)
const hash = crypto.createHash('sha256').update('data').digest('hex');

// HMAC-SHA256 (message authentication)
const hmac = crypto.createHmac('sha256', secretKey).update(message).digest('hex');

// ── Key Generation ──
const secretKey = crypto.randomBytes(32);          // 256-bit symmetric key
const keyPair = crypto.generateKeyPairSync('rsa', {
  modulusLength: 4096,
  publicKeyEncoding: { type: 'spki', format: 'pem' },
  privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
});

security/https-tls.md

# ── HTTPS / TLS ──

TLS Handshake (simplified):
1. Client → Server: ClientHello (supported cipher suites)
2. Server → Client: ServerHello + Certificate + Key Exchange
3. Client → Server: Key Exchange (pre-master secret, encrypted)
4. Both: Derive session keys
5. Both: Encrypted communication begins

TLS Versions:
- TLS 1.2 (minimum acceptable)
- TLS 1.3 (recommended — faster, more secure)

HTTPS Configuration:
- Use TLS 1.3 (fallback to 1.2)
- Strong cipher suites (AES-256-GCM, ChaCha20-Poly1305)
- HSTS header: Strict-Transport-Security: max-age=31536000; includeSubDomains
- OCSP stapling for fast certificate verification
- Certificate from trusted CA (Let's Encrypt is free)

💡

Use AES-256-GCM for encryption at rest.It provides both confidentiality (encryption) and integrity (authentication tag). Never use AES-CBC without HMAC — it's vulnerable to padding oracle attacks. Always use authenticated encryption.

🌐

Network Security

NETWORK

security/cors.js

// ── CORS (Cross-Origin Resource Sharing) ──

// BAD: Allow ALL origins (dangerous in production)
app.use(cors({ origin: '*' }));

// GOOD: Restrict to specific origins
const cors = require('cors');
app.use(cors({
  origin: ['https://app.example.com', 'https://admin.example.com'],
  methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'],
  allowedHeaders: ['Content-Type', 'Authorization'],
  credentials: true,       // allow cookies
  maxAge: 86400,           // preflight cache (24h)
}));

// ── Preflight Request (OPTIONS) ──
// Browser sends OPTIONS before actual request for cross-origin
// Server responds with allowed methods/headers
// Actual request only sent if preflight succeeds

security/security-headers.js

// ── Security Headers (Helmet middleware) ──
const helmet = require('helmet');
app.use(helmet());

// Or set manually:
app.use((req, res, next) => {
  // Content Security Policy (prevent XSS)
  res.setHeader('Content-Security-Policy',
    "default-src 'self'; " +
    "script-src 'self' 'nonce-abc123' https://cdn.example.com; " +
    "style-src 'self' 'unsafe-inline'; " +
    "img-src 'self' data: https:; " +
    "font-src 'self' https://fonts.gstatic.com; " +
    "connect-src 'self' https://api.example.com; " +
    "frame-ancestors 'none'; " +         // prevent clickjacking
    "base-uri 'self'; " +
    "form-action 'self'"
  );

  // Prevent MIME type sniffing
  res.setHeader('X-Content-Type-Options', 'nosniff');

  // Prevent clickjacking
  res.setHeader('X-Frame-Options', 'DENY');

  // Force HTTPS
  res.setHeader('Strict-Transport-Security',
    'max-age=31536000; includeSubDomains; preload');

  // XSS Protection (legacy browsers)
  res.setHeader('X-XSS-Protection', '1; mode=block');

  // Control referrer information
  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');

  // Permissions Policy (formerly Feature-Policy)
  res.setHeader('Permissions-Policy',
    'camera=(), microphone=(), geolocation=(), payment=()');

  next();
});

CSP Directives

Directive	Purpose
default-src	Fallback for all resource types
script-src	JavaScript sources
style-src	CSS sources
img-src	Image sources
font-src	Font sources
connect-src	AJAX/WebSocket targets
frame-src	Allowed iframes
frame-ancestors	Who can embed THIS page
base-uri	Restrict <base> tag URLs
form-action	Restrict form submission targets

Firewall & Network Rules

Rule	Description
Allow HTTPS only	Block port 80, allow 443
Block unused ports	Close everything not needed
SSH key auth only	Disable password SSH login
Fail2Ban	Block brute force IPs
WAF	Web Application Firewall (Cloudflare)
VPN for admin	Restrict admin access by IP/VPN
Rate limit	Nginx/API gateway rate limiting
DDoS protection	Cloudflare, AWS Shield

💡

Use helmet() as a baseline for security headers, then customize CSP for your app. A strict CSP that disallows inline scripts is the best XSS defense. Always set HSTS to enforce HTTPS.

🐛

Common Vulnerabilities

ATTACKS

security/ssrf.js

// ── SSRF (Server-Side Request Forgery) ──

// BAD: User-controlled URL → server makes request
app.get('/proxy', async (req, res) => {
  const data = await fetch(req.query.url);  // Attacker controls URL!
  // Can access: localhost, internal APIs, cloud metadata
  // http://169.254.169.254/latest/meta-data/ (AWS secrets!)
  res.send(await data.text());
});

// GOOD: URL allowlist + validation
const ALLOWED_DOMAINS = ['api.example.com', 'cdn.example.com'];

app.get('/proxy', async (req, res) => {
  const url = new URL(req.query.url);

  // Allowlist domains
  if (!ALLOWED_DOMAINS.includes(url.hostname)) {
    return res.status(403).json({ error: 'Domain not allowed' });
  }

  // Block private IP ranges
  const ip = await dns.resolve(url.hostname);
  if (isPrivateIP(ip)) {
    return res.status(403).json({ error: 'Private IPs not allowed' });
  }

  // Only allow HTTPS
  if (url.protocol !== 'https:') {
    return res.status(403).json({ error: 'Only HTTPS allowed' });
  }

  const data = await fetch(url.toString());
  res.send(await data.text());
});

security/other-vulns.js

// ── Path Traversal ──
// BAD: User-controlled file path
app.get('/files/:name', (req, res) => {
  res.sendFile(req.params.name);
  // Attack: /files/../../../../etc/passwd
});

// GOOD: Sanitize path + restrict directory
const path = require('path');
app.get('/files/:name', (req, res) => {
  const safePath = path.normalize(req.params.name).replace(/^(..[/\\])+/, '');
  const fullPath = path.join('/var/uploads', safePath);

  // Ensure path stays within allowed directory
  if (!fullPath.startsWith('/var/uploads/')) {
    return res.status(403).json({ error: 'Access denied' });
  }
  res.sendFile(fullPath);
});

// ── Mass Assignment ──
// BAD: Spread user input directly
app.put('/users/:id', (req, res) => {
  await User.findByIdAndUpdate(req.params.id, req.body);
  // Attack: { "role": "admin" } → privilege escalation!
});

// GOOD: Explicit whitelist of allowed fields
const ALLOWED_FIELDS = ['name', 'email', 'phone'];
const update = {};
for (const field of ALLOWED_FIELDS) {
  if (req.body[field] !== undefined) {
    update[field] = req.body[field];
  }
}
await User.findByIdAndUpdate(req.params.id, update);

// ── XML External Entity (XXE) ──
// BAD: Parsing untrusted XML with external entities
const xml2js = require('xml2js');
// Attacker injects: <!ENTITY xxe SYSTEM "file:///etc/passwd">

// GOOD: Disable external entities
const parser = new xml2js.Parser({
  explicitCharkey: true,
  explicitArray: false,
  // Disable DTD and external entities
});

Vulnerability Quick Reference

Vuln	Attack	Prevention
SQLi	Malicious SQL in input	Parameterized queries
XSS	Script injection in output	Escaping + CSP
CSRF	Forged cross-site requests	Tokens + SameSite
SSRF	Server fetches attacker URL	Domain allowlist
Path Traversal	../etc/passwd	Path sanitization
Mass Assignment	Role escalation via update	Field whitelist
XXE	XML entity injection	Disable DTD/entities
Prototype Pollution	__proto__ modification	Object freeze/input check
Race Condition	Concurrent exploit	Locking/atomic ops

Security Testing Tools

Tool	Purpose	Type
OWASP ZAP	Automated vulnerability scan	DAST
Burp Suite	Manual penetration testing	DAST/Proxy
npm audit	Dependency vulnerabilities	SCA
Snyk	Dependency + code scanning	SCA/SAST
SonarQube	Code quality + security	SAST
Semgrep	Pattern-based code scanning	SAST
SQLMap	Automated SQL injection	DAST
Nmap	Port/service scanning	Network

✅

Security Best Practices

CHECKLIST

security/checklist.md

# ── Security Checklist ──

## Application Security
- [ ] Input validation on ALL user inputs (server-side)
- [ ] Parameterized queries (no SQL string concatenation)
- [ ] Output encoding / escaping (prevent XSS)
- [ ] CSRF protection on all state-changing requests
- [ ] Strong password hashing (bcrypt 12+ / argon2id)
- [ ] Multi-factor authentication (MFA)
- [ ] Short session expiry + idle timeout
- [ ] Account lockout after failed attempts
- [ ] Secure password reset flow (time-limited tokens)

## API Security
- [ ] Authentication required on all endpoints (except public)
- [ ] Authorization check per resource (not just route-level)
- [ ] Rate limiting (per user/IP)
- [ ] Request size limits
- [ ] Input sanitization (strip HTML, SQL, special chars)
- [ ] Response filtering (don't expose internal IDs, stack traces)
- [ ] API versioning (backward compatibility)

## Infrastructure
- [ ] HTTPS everywhere (TLS 1.2+, HSTS)
- [ ] Security headers (CSP, X-Frame-Options, HSTS)
- [ ] CORS properly configured (no wildcard in production)
- [ ] Dependencies audited and updated (npm audit)
- [ ] Environment variables for secrets (never in code)
- [ ] Secrets management (Vault, AWS Secrets Manager)
- [ ] Database encrypted at rest
- [ ] Backups encrypted and tested

## Monitoring & Response
- [ ] Centralized logging (never log passwords, tokens, PII)
- [ ] Alert on anomalies (failed logins, unusual API usage)
- [ ] Incident response plan
- [ ] Regular security audits
- [ ] Bug bounty program

security/node-config.js

// ── Node.js Security Configuration ──

// 1. Secure dependencies
// npm audit --production
// npm audit fix

// 2. Environment variables (never hardcode secrets)
// .env file (add to .gitignore!)
// process.env.JWT_SECRET
// process.env.DATABASE_URL

// 3. Prevent prototype pollution
const safeMerge = Object.assign({}, ...objects);
// Or use structuredClone (Node 17+)
const safe = structuredClone(data);

// 4. Event loop blocking prevention
// Use cluster / worker_threads for CPU-heavy tasks
// Use setImmediate for async processing

// 5. Error handling (don't leak stack traces in production)
app.use((err, req, res, next) => {
  if (process.env.NODE_ENV === 'production') {
    // Log full error internally
    logger.error(err.stack);
    // Send generic message to client
    res.status(500).json({ error: 'Internal server error' });
  } else {
    res.status(500).json({ error: err.message, stack: err.stack });
  }
});

// 6. Disable unnecessary HTTP headers
app.disable('x-powered-by');  // Don't reveal Express

💡

Security is a process, not a product. Implement defense in depth: multiple layers of security (input validation, parameterized queries, CSP, rate limiting, monitoring). No single measure is sufficient alone.

🎯

Interview Q&A

PREP

Q: What is SQL injection and how to prevent it?SQL injection occurs when user input is concatenated into SQL queries, allowing attackers to manipulate the query logic. Prevention: (1) Parameterized queries/prepared statements, (2) ORM with parameterized queries, (3) Input validation (whitelist), (4) Least privilege DB user. Never use string concatenation for SQL.

Q: Explain XSS types and prevention.Stored XSS: malicious input stored in DB and rendered to other users. Reflected XSS: input reflected in immediate response (URL params). DOM-based XSS: JS modifies DOM with unsanitized data. Prevention: output encoding, CSP headers, HttpOnly cookies, input validation, React's auto-escaping.

Q: How does CSRF work and how to prevent it?CSRF tricks a user's browser into making authenticated requests to a different site. Prevention: CSRF tokens (unique per form, validated server-side), SameSite=Strict/Lax cookies, verifying Origin header, requiring custom headers (X-Requested-With).

Q: JWT vs session-based auth?JWT: stateless, self-contained, scalable (no server storage), but harder to revoke and token size grows. Sessions: server-side storage, easy to revoke, but requires sticky sessions or shared store. JWT is better for distributed systems; sessions are better for fine-grained security control.

Q: What is CORS and why is it needed?CORS (Cross-Origin Resource Sharing) is a browser security mechanism that restricts cross-origin HTTP requests. Without CORS, a malicious site could make requests to your API using the victim's cookies. Configure allowed origins, methods, headers. Never use wildcard (*) with credentials.

Q: HTTPS vs HTTP — why HTTPS is mandatory?HTTPS encrypts all communication (prevents MITM attacks), provides data integrity (no tampering), and authentication (server identity via certificate). TLS 1.3 is recommended. HSTS header ensures browsers always use HTTPS. Free certificates from Let's Encrypt.

Q: Explain the OWASP Top 10.2021 list: A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection, A04 Insecure Design, A05 Security Misconfiguration, A06 Vulnerable Components, A07 Auth Failures, A08 Software/Data Integrity, A09 Logging Failures, A10 SSRF. Know prevention for each.

Q: What is Content Security Policy?CSP is an HTTP response header that restricts what resources (scripts, styles, images, fonts) a page can load. It prevents XSS by blocking inline scripts and restricting script sources. Example: script-src 'self' 'nonce-abc' prevents all scripts except from same origin and those with the nonce.

Q: How to store passwords securely?Never store plaintext. Use bcrypt (12+ rounds) or argon2id. These algorithms are intentionally slow (prevent brute force) and include a unique salt per user (prevent rainbow tables). On failed login, always return generic error, use constant-time comparison.

💡

Top security interview topics: OWASP Top 10, SQL injection, XSS (3 types + prevention), CSRF, JWT/session auth, HTTPS/TLS, CORS, CSP headers, password hashing (bcrypt vs argon2), encryption (AES-256-GCM), rate limiting, and secure coding practices.

⏳

Loading cheatsheet...