Chrome’s new HTTPS‑First experiment automatically upgrades HTTP requests to HTTPS, warns about insecure downloads, and rolls out gradually, aiming to make the web safer by encrypting the majority of traffic while still handling edge cases gracefully.
This article explains the browser's Same‑Origin Policy, its restrictions on DOM, data and network access, and how Cross‑Origin Resource Sharing (CORS) with simple and preflight requests enables controlled cross‑origin communication while mitigating security risks.
This article explains what a Web Application Firewall (WAF) is, introduces the open‑source SafeLine WAF, and provides step‑by‑step instructions for containerized installation, describes its architecture and core security capabilities such as semantic attack detection, IP intelligence, traffic control, and high‑performance protection for web sites.
This article explains the fundamentals of the Same‑Origin Policy, its security implications, and how Cross‑Origin Resource Sharing (CORS) works—including simple requests, preflight requests, and handling credentials—to help developers safely perform cross‑domain HTTP operations in browsers.
This guide explains how to identify and differentiate malicious bot traffic from legitimate requests by analyzing web server logs, leveraging fields such as IP, user‑agent, referer, and parameters, and then applying WAF rules, automation, and security platforms to mitigate attacks and improve operational metrics.
Chrome’s latest experiment aims to automatically upgrade all HTTP requests to HTTPS, detailing current HTTPS adoption rates, the new HTTPS‑First mode’s automatic upgrades, unsafe download warnings, phased rollout plans, and how users can enable the feature now for a more secure browsing experience.
This article explains why backend developers should switch from HTTP to HTTPS for user-facing services, highlights the key differences—including SSL and TLS—and points to a concise five‑minute video that visually demonstrates how HTTPS works and secures web traffic.
This article explains the purpose, syntax, optional parameters, and practical examples of PHP's htmlspecialchars() function, demonstrating how to safely convert special characters to HTML entities, control encoding and flags, avoid double‑encoding, and follow important usage considerations for secure web development.
This article explains the same‑origin policy, its security implications for DOM, web data and network communication, and how Cross‑Origin Resource Sharing (CORS) with simple and preflight requests enables controlled cross‑domain interactions while protecting users from attacks such as XSS, CSRF, and others.
This article compares storing authentication tokens in cookies versus the Authorization header, outlining each method's implementation, advantages, drawbacks, security implications such as XSS and CSRF risks, cross‑domain considerations, and compliance with authentication standards.
This article explains the fundamentals of Cross‑Site Request Forgery (CSRF), describing its background, attack mechanics, key concepts, common prevention techniques such as anti‑CSRF tokens and SameSite cookies, and provides practical GET and POST examples to illustrate the threat.
This tutorial demonstrates how to bypass complex, layered encryption on a target website by using Sekiro RPC to invoke browser methods directly, covering analysis of the encrypted sign parameter, setting conditional breakpoints, overriding JavaScript files, defining a Sekiro client, and retrieving the signature via Python.
This article reviews the best open‑source vulnerability scanners for web applications, databases, and infrastructure in 2023, detailing each tool’s key features, advantages, disadvantages, and guidance on who should or should not use them.
This article explains how to combine reflected and stored cross‑site scripting attacks with same‑origin policy abuse to turn a low‑severity XSS vulnerability into a high‑severity issue, detailing discovery, exploitation steps, and a JavaScript payload that harvests user data.
Although you can obtain a website’s IP address, accessing it directly via HTTPS often fails because the HTTP request’s Host header differs, and servers use this header to verify the intended domain, leading to 403 errors unless the correct Host value is supplied.
This article explains why accessing a site via its IP address fails, revealing that the HTTP Host header distinguishes domain‑based requests from raw IP requests, and shows how adjusting the Host field restores access.
This article introduces PHP security library functions such as htmlspecialchars(), htmlentities(), and mysqli_real_escape_string(), demonstrating with code examples how they filter and validate user input to prevent XSS and SQL injection attacks, while noting that additional security measures are still required.
This article explains why web applications need a Web Application Firewall, introduces ModSecurity as a WAF for Nginx, and provides step‑by‑step installation, configuration, custom rule creation, and service restart commands to defend against attacks such as SQL injection and XSS.
This article explains what browser sandboxes are, why they are crucial for web security, outlines their benefits, lists common sandboxed applications, describes various sandbox types, and provides practical guidance on using and disabling sandbox features in major browsers.
This guide explains the browser's same‑origin policy, defines cross‑origin requests, outlines the restrictions on non‑same‑origin resources, and presents five Java‑backend techniques—including a global CorsFilter bean, WebMvcConfigurer, @CrossOrigin annotation, manual response headers, and a custom filter—to enable CORS.
The article explains how misconfigured caches and inconsistent front‑end/back‑end parsing enable web cache poisoning and HTTP request smuggling attacks, illustrates practical exploitation scenarios, and recommends disabling caching, unifying request‑boundary logic, and adopting HTTP/2 or strict configurations to defend against these high‑impact threats.
This article explains the fundamental weaknesses of HTTP, demonstrates how man‑in‑the‑middle attacks exploit clear‑text communication, and shows how HTTPS—through SSL/TLS handshakes, certificate validation, and CA hierarchies—protects web traffic from interception and tampering.
This article traces the evolution from simple web page browsing to modern token‑based authentication, explaining the scalability and security problems of server‑side sessions and showing how signed, stateless tokens using HMAC‑SHA256 eliminate those issues while supporting horizontal scaling and cross‑platform access.
This article explains how forged HTTP headers can lead to SQL injection, demonstrates PHP functions for obtaining client IPs, shows blind injection payloads for enumerating databases, tables, columns, and users, and provides practical sqlmap commands and code examples for exploiting and testing vulnerabilities.
This article explains why HTTPS provides secure communication by detailing the TLS handshake, the roles of asymmetric and symmetric encryption, the necessity of CA‑issued certificates, how browsers validate them, and the limits of HTTPS against man‑in‑the‑middle attacks.
Spring MVC provides built‑in CORS support, allowing you to configure preflight, simple, and actual requests via global HandlerMapping settings, @CrossOrigin annotations, Java‑based CorsRegistry, or CorsFilter, with detailed options for origins, headers, methods, credentials, and max‑age to secure cross‑origin interactions.
This article explains the browser same‑origin policy, defines cross‑origin requests, outlines the restrictions they impose, and presents five practical ways—global filter, WebMvcConfigurer, @CrossOrigin annotation, manual response headers, and a custom filter—to enable CORS in a Java Spring MVC backend with complete code examples.
This article walks through the most common MyBatis SQL injection patterns—like, IN, and ORDER BY—explains why they occur, and provides a step‑by‑step hands‑on methodology for locating, reproducing, and confirming the flaws in a real Java CMS project.
This article explains why browsers enforce the Same‑Origin Policy, defines cross‑origin requests, lists the restrictions of non‑same‑origin access, and provides five practical ways—global filter, WebMvcConfigurer, @CrossOrigin annotation, manual header setting, and a custom filter—to enable CORS in Java Spring Boot applications, complete with code examples.
This curated overview highlights six puzzling React phenomena, introduces CSS Grid basics, examines AI‑generated art controversies, discusses COEP’s security benefits, reviews the new Fresh full‑stack framework, and explores how to measure user experience with data‑driven metrics.
This tutorial demonstrates how to set up a Spring Security FormLogin authentication flow, including creating a demo project, customizing the login page, configuring security rules, defining users and roles, and testing the login process with custom success and failure handlers.
Script Error, a generic message caused by cross‑origin restrictions, hides real JavaScript failures; this article explains its origins, current workarounds like crossorigin and CSP, compares how major sites handle it, and proposes systematic solutions for future web development.
The article explains that browsers mask cross‑origin script failures as generic “Script error” due to the same‑origin policy, outlines the proper fix of adding the crossorigin attribute and Access‑Control‑Allow‑Origin header, critiques ad‑hoc proxy or try‑catch workarounds, and recommends systematic measures such as CSP Report‑Only, monitoring tools, and proper script whitelisting.
The article explains why browsers like Chrome 94 block cross‑origin requests from public contexts to private‑network resources, illustrates the issue with a reproducible example, analyzes the underlying policy changes, and provides practical solutions and configuration steps to mitigate the problem.
This article explains why browsers enforce same‑origin policies, defines cross‑origin requests, outlines the restrictions on non‑same‑origin resources, and presents five practical Java backend solutions—including a global CorsFilter, WebMvcConfigurer, @CrossOrigin annotation, manual response headers, and a custom filter—complete with code examples.
HTTP Referer is a header field that indicates the source URL of the current webpage, playing a crucial role in web security, analytics, and troubleshooting, with various Referrer-Policy strategies controlling how much information is shared.
This article explains the fundamentals of SQL injection attacks, outlines their severe consequences, and provides a comprehensive set of prevention principles and practical measures—including parameterized queries, strong typing, input validation, and secure MyBatis configurations—to help developers safeguard backend applications and databases.
This article presents ten multiple‑choice questions covering symmetric and asymmetric encryption, web malware, cookie security, access control, ARP spoofing, malicious code detection, buffer overflows, SQL injection, and rainbow‑table defenses, letting readers assess their information‑security expertise.
This article explains the origin of CORS issues caused by the browser's Same‑Origin Policy, describes what constitutes a cross‑origin request, outlines the restrictions of non‑same‑origin resources, and provides five Java‑based solutions—including a global CorsFilter bean, WebMvcConfigurer override, @CrossOrigin annotation, manual response‑header setting, and a custom filter—to enable cross‑origin access.
This paper proposes a WebAssembly‑QuickJS sandbox that isolates JavaScript execution and uses Shadow DOM/iframe for CSS isolation, delivering W3C‑compliant, high‑performance security for web apps, achieving 355× communication gains over mini‑programs while maintaining a lightweight, extensible ecosystem for e‑commerce plugins.
This article explains the evolution from HTTP to HTTPS, detailing HTTP’s history, its security shortcomings, the principles of symmetric and asymmetric encryption, digital signatures, certificate authorities, and the complete HTTPS handshake process, helping readers understand how secure web communication works.
The article explains how PHP functions like exec(), system(), passthru(), popen(), backtick operator, shell_exec() and pcntl_exec() can be abused for OS command injection, demonstrates vulnerable code examples, and provides practical mitigation techniques to secure web applications.
This article explains the design of a WebAssembly‑based security sandbox using QuickJS, detailing its background, goals, technical architecture, performance benchmarks, and future roadmap for building a safer, standards‑compliant open web ecosystem.
This article explains the mechanics of CORS, detailing how browsers decide whether a cross‑origin request is executed directly, blocked, or preceded by a preflight OPTIONS request, and distinguishes between simple and complex requests based on method, headers, and other criteria.
This article explains when cross‑origin problems occur due to the browser's same‑origin policy, describes the restrictions it imposes, and provides detailed Nginx add_header configurations—including specific and global examples—to enable Access‑Control‑Allow‑Origin and Access‑Control‑Allow‑Methods headers for CORS resolution.
This article explains various methods to prevent XSS injection in PHP, covering the limitations of built‑in filters, proper use of htmlspecialchars and htmlentities, replacement techniques, and provides comprehensive PHP functions with code examples for sanitizing user input and removing malicious scripts.
This article explains the lightweight JWT specification, walks through its three-part structure (header, payload, signature), shows how to encode and sign a token with Node.js, and demonstrates using a JWT‑based link to perform a friend‑request operation without requiring the recipient to log in.
This article explains the principles, attack vectors, and mitigation techniques for three common web security threats—Cross‑Site Scripting (XSS), Cross‑Site Request Forgery (CSRF), and Clickjacking—detailing how malicious scripts are injected, how forged requests exploit user credentials, and how defensive headers, token strategies, and frame restrictions can protect applications.
This article compares cookies, server-side sessions, and JWT tokens, explaining their mechanisms, advantages, drawbacks, and best-use scenarios for web authentication, load‑balanced environments, and mobile applications, while also addressing security concerns such as CSRF and token storage.
This article explains the fundamentals of OAuth2.0, distinguishes it from SSO, describes the three main participants, outlines the complete authorization flow with step‑by‑step details, defines key terminology, and discusses deployment scenarios such as web servers, user‑agent apps, and native applications.
This article explains how HTTP caching works, highlights security and privacy risks such as those introduced by the Spectre vulnerability, and recommends safe cache-control settings like using private caches and varying by Cookie to protect sensitive web resources.
This guide explains how to use Python's requests library to brute‑force DVWA login pages at low and medium security levels, detailing code snippets, request headers, payload construction, response handling, and result logging to CSV or TXT files.
This article explains the fundamentals of web session management, compares server‑side, cookie‑based, and token‑based storage methods, discusses authentication versus authorization, and outlines security considerations and best‑practice recommendations for managing user sessions in modern web applications.
This guide explains how to use Alibaba Cloud's Application High Availability Service (AHAS) with Sentinel to implement fine‑grained traffic control, hotspot detection, concurrency limits, circuit breaking, and fallback handling for Java and Go web applications, illustrated with a Spring Boot example.
This article explains the purpose of the HTTP Host header, how Host header attacks work, methods to discover and exploit them—including password‑reset poisoning, cache poisoning, access‑control bypass, and SSRF—and provides practical mitigation techniques for developers and security teams.
This article explores HTTP cookies in depth, covering their definition, attributes, security settings, tracking mechanisms, third‑party usage, front‑end management practices, emerging standards like SameSite and SameParty, and future trends such as Chrome’s privacy sandbox and the Cookie Store API.
This article demonstrates how to use a Python script to perform a brute‑force attack against the DVWA login page by sending HTTP GET requests with custom headers and payloads, iterating over username and password dictionaries, recording response status, content length, and saving results to CSV or TXT files.
This article educates front‑end engineers about common web security threats such as XSS, CSRF, directory exposure, SQL injection, command injection, DDoS, and hijacking, and provides practical mitigation techniques and best‑practice principles to build more secure web applications.
A curious case where entering the wrong Vue documentation URL (https://cn.vuejs.org) redirects to an adult site, prompting a technical investigation that reveals 301 redirects, hidden JavaScript, random target selection, and broader security implications for web developers.
This article introduces web security testing, explains why it is essential, describes common vulnerabilities such as weak passwords, XSS, CSRF, SQL injection, authorization bypass, and file upload issues, and offers practical prevention measures and testing guidelines for developers and testers.
This article explains the fundamentals of HTTP's stateless nature, session handling in single‑system web apps, the challenges of multi‑system environments, and presents a detailed walkthrough of Single Sign‑On concepts, token‑based authentication flow, global versus local sessions, deployment considerations, and a step‑by‑step Java implementation with code examples.
The article explains the nature of XSS, illustrates how attackers inject malicious scripts through user input, and provides practical prevention techniques such as HTML escaping, whitelist filtering, and reusable Node.js middleware with code examples and detailed usage.
This article explains the browser's same‑origin policy, why cross‑origin requests are blocked, and walks through practical solutions—including JSONP, CORS with simple and preflight requests, PostMessage, WebSocket, Nginx reverse proxy, Node middleware proxy, and document.domain—so developers can choose the right technique for their needs.
This article compares three browser storage options for JWT—Cookie, localStorage, and sessionStorage—examining their automatic transmission, CSRF and XSS vulnerabilities, and security configurations such as SameSite and HttpOnly to help developers choose the safest method.
This roundup highlights recent front‑end open‑source updates, including AppWorks 1.5’s auto‑style imports, Parcel 2’s plugin system and Rust‑based performance boost, the Superplate starter kit, the DOM Treemap DevTools extension, Theatre.js animation library, and the W3C Sanitizer API proposal for preventing XSS attacks.
This guide walks you through creating a Docker‑powered environment that includes a graphical Kali Linux workstation and a web target machine with MySQL and Tomcat, covering Docker installation, image preparation, container configuration, remote desktop setup, and database integration for hands‑on information‑security practice.
This article explains the causes, impacts, and various techniques of SQL injection attacks in PHP applications, demonstrates vulnerable code examples, and provides practical mitigation measures such as input validation, error handling, character encoding considerations, and secure coding practices.
This article explains the stateless nature of HTTP, the session and cookie mechanisms for single‑system login, the challenges of multi‑system environments, and provides a detailed overview of Single Sign‑On (SSO) concepts, token flow, and step‑by‑step Java code examples for client and server implementations.
This article examines common security flaws in basic web login forms, demonstrates how plain‑text passwords can be intercepted, and presents practical countermeasures such as client‑side encryption, hashing, captchas, tokens, and digital signatures to protect credentials and data integrity.
This article examines common security vulnerabilities in web login processes, illustrating how plain HTTP exposes credentials, evaluating symmetric and asymmetric encryption, token-based authentication, and digital signatures, and proposes layered protection strategies such as MD5 hashing, CAPTCHA, and token mechanisms to safeguard user data.
This article reviews the origin and evolution of CAPTCHAs, examines early applications and OCR attacks, describes the three generations of reCAPTCHA and emerging verification methods, and discusses how CAPTCHAs are used to raise attack barriers, filter malicious traffic, and support risk assessment in modern anti‑fraud systems.
This guide walks through setting up WeChat web authorization, customizing Spring Security's OAuth2 flow, handling token exchange, and retrieving user info, providing a complete backend solution for secure WeChat-enabled applications.
This article explains the fundamentals of HTTP's stateless nature, session mechanisms, the challenges of multi‑system login, and provides a detailed guide with Java code examples on implementing Single Sign‑On (SSO) including token generation, validation, and global‑local session handling.
This article examines common security vulnerabilities in web login processes, demonstrates how plain‑text passwords can be intercepted over HTTP/HTTPS, evaluates symmetric and asymmetric encryption, discusses the limitations of MD5, and proposes token‑based and digital‑signature solutions to protect credentials and data integrity.
The article explains how browser incognito or private‑browsing modes work, clarifies common misconceptions, details why they do not provide true anonymity, and explores technical detection methods and fingerprinting techniques—including code examples—while offering guidance on protecting personal privacy.
This article explains the JSON Web Token (JWT) format, its three parts—header, payload, and signature—how to create and verify tokens with Node.js, and why JWTs are useful for stateless authentication, single‑sign‑on, and reducing server‑side session storage.
This article explains how SQL injection can still occur in Java applications using MyBatis, describes the three typical vulnerable patterns (LIKE, IN, ORDER BY), and provides a step‑by‑step practical workflow—including code snippets and verification—to help beginners audit and remediate such issues.
The article documents a step‑by‑step security investigation of a QQ phishing site, detailing its fake login page, POST endpoint, Python‑based credential flooding, network reconnaissance, port scanning, vulnerability scanning, and discovery of the backend control panel, while discussing the challenges of XSS and brute‑force attacks.
This article compares the mechanisms of Cookie, Session, and JWT token for user authentication, explaining their histories, workflows, scalability challenges, security trade‑offs, and best‑practice scenarios such as single sign‑on, mobile access, and CSRF protection.
This article explains the CORS mechanism, detailing how browsers automatically add Origin headers, the difference between simple and non‑simple requests, the preflight exchange, required HTTP headers, and how servers respond to enable or reject cross‑origin communication.
This article explains the evolution from cookies to server‑side sessions and finally to JWT tokens, compares their mechanisms, discusses scalability and security challenges such as CSRF, and provides guidance on when to choose each authentication method.
This article explains the Same Origin Policy, introduces the CORS standard, details required response headers, and provides three practical Spring implementations—global config, filter, and annotation—to enable cross‑origin requests efficiently.
This article explains the stateless nature of HTTP, how session mechanisms and cookies enable login state, why single-system login fails in multi‑system environments, and provides a step‑by‑step Java implementation of Single Sign‑On with token generation, validation, and logout handling.
This article walks through the step‑by‑step reverse‑engineering process used to identify and replicate the MD5‑based sign generation in a web API request, detailing parameter extraction, code inspection, and cookie handling to recreate the required authentication logic.
This tutorial walks you through a complete web penetration test on the fictional site hack‑test.com, covering DNS enumeration, server fingerprinting, vulnerability scanning with Nikto and w3af, exploiting SQL injection via sqlmap, uploading a PHP webshell, gaining a reverse shell, and finally escalating to root privileges on a Linux server.
An in‑depth walkthrough demonstrates how to identify, analyze, and attack a QQ phishing website—revealing its URL, POST parameters, using Python to flood it with fake credentials, performing WHOIS, ping, nmap, and w3af scans, uncovering backend details, and discussing mitigation strategies.
This article reviews the fundamentals of the HTTP protocol, explains why its plaintext transmission makes it vulnerable to man‑in‑the‑middle attacks, and details how HTTPS—through SSL/TLS, asymmetric key exchange, and CA certificate verification—protects data integrity and confidentiality.
This article introduces the fundamentals of SQL injection, explains Sqlmap's five injection techniques, lists supported databases, shows installation methods, walks through essential commands and options, and provides practical examples for testing and exploiting vulnerable web applications.
The article details a step‑by‑step penetration test of a seemingly empty financial web application, describing how hidden JavaScript files and a discovered /xxxapi/file/pdf/view endpoint were leveraged to craft an SSRF payload that accessed internal services such as Elasticsearch, illustrating practical web security exploitation techniques.
This article explains how misconfigured HTTP Host headers can be abused for attacks such as cache poisoning, SSRF, password‑reset poisoning and other server‑side exploits, and provides practical detection methods and defensive recommendations for developers and security engineers.
This article explains what clickjacking (UI redressing) is, demonstrates how attackers craft hidden iframe layers to hijack user clicks, and outlines both client‑side and server‑side mitigation strategies such as frame‑busting scripts, X‑Frame‑Options, and Content‑Security‑Policy directives.
This article explains what HTTP request smuggling is, how the vulnerability arises from conflicting Content‑Length and Transfer‑Encoding headers, describes common CL.TE, TE.CL and TE.TE attack patterns, and outlines detection techniques and defensive measures for modern web infrastructures.
This article explains what directory (path) traversal is, demonstrates how attackers can read or write arbitrary files on a server by manipulating file‑path parameters, outlines common bypass techniques, and provides concrete defensive coding practices to mitigate the vulnerability.
This article explains the fundamentals of Cross‑Origin Resource Sharing (CORS) and the Same‑Origin Policy, illustrates common misconfigurations and attack scenarios such as origin reflection, null origin whitelisting, and TLS downgrade, and provides best‑practice mitigation techniques for secure web development.
This article examines the vulnerabilities of HTTP, illustrates man‑in‑the‑middle attacks, and explains how HTTPS—through SSL/TLS handshakes, certificate authorities, and asymmetric encryption—protects communications, providing a comprehensive understanding of web security fundamentals for developers and users alike.
This article explores HTTP request smuggling—its origins, how inconsistencies in proxy and server implementations enable the attack, detailed packet constructions using Content‑Length and chunked encoding, practical PortSwigger lab demonstrations, and effective mitigation strategies such as disabling TCP reuse and adopting cloud‑based security services.
This article explains three practical Single Sign‑On implementations—parent‑domain cookies, a dedicated authentication center, and cross‑domain LocalStorage—detailing their mechanisms, advantages, limitations, and code examples for secure token sharing across multiple web applications.
This article explains how Single Sign‑On works in browser‑server applications, compares three implementation methods—parent‑domain cookies, a dedicated authentication center, and cross‑domain LocalStorage with iframe/postMessage—and provides sample code for the latter technique.
This article explains the Same-Origin Policy, its security purpose and restrictions, introduces CORS as a solution for cross‑origin AJAX requests, and provides three practical ways—annotation, filter, and WebMvcConfigurerAdapter—to enable CORS in a Spring Boot application.
This tutorial explains server‑side template injection (SSTI), shows how to identify vulnerable template engines, and provides hands‑on Docker‑based labs for Twig (PHP) and Jinja2 (Python) with code examples, payloads, and step‑by‑step exploitation guidance.
