How the Web Works (Security Perspective)
Before exploiting or defending web applications, you must deeply understand how they work at the HTTP level. Every web vulnerability traces back to a misunderstanding or mishandling of HTTP, cookies, sessions, or trust relationships.
HTTP Request/Response Anatomy
# Complete HTTP Request — what actually gets sent
GET /api/users/42 HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9...
Cookie: session=abc123; csrf_token=xyz789
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: application/json
Referer: https://app.example.com/dashboard
# Security relevance:
# Authorization: Bearer → JWT token — see Module 6 for JWT attacks
# Cookie: session → if stolen via XSS → account takeover
# Referer → can leak sensitive URL parameters to third-party servers
# User-Agent → fingerprinting; can be spoofed freely by attacker
# HTTP Response — what the server replies
HTTP/1.1 200 OK
Content-Type: application/json
Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'
Strict-Transport-Security: max-age=31536000
{"id": 42, "name": "Alice", "role": "user"}
# Security relevance:
# Set-Cookie attributes → missing HttpOnly = XSS cookie theft possible
# Missing CSP → XSS can execute any script, exfiltrate data
# Missing HSTS → first visit over HTTP is vulnerable to SSL strippingSame-Origin Policy (SOP)
- SOP is the browser's most important security mechanism: a web page can only access resources from the same origin (protocol + domain + port)
- Same origin: https://app.example.com:443 and https://app.example.com:443/api — same origin
- Different origin: http://app.example.com (different protocol), https://api.example.com (different subdomain), https://app.example.com:8080 (different port)
- SOP prevents: evil.com from reading your bank balance from bank.com in a hidden iframe, reading your Gmail after you've logged in
- CORS (Cross-Origin Resource Sharing): A mechanism to RELAX SOP selectively. If bank.com sends Access-Control-Allow-Origin: https://app.bank.com, then app.bank.com can make API requests to bank.com
- CORS misconfiguration: Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true allows any site to make authenticated requests
Common Mistakes
- Trusting client-supplied data — HTTP headers, cookies, POST body, and URL parameters are all fully controlled by the client and must be treated as untrusted input
- Relying on client-side validation alone — any validation in JavaScript can be bypassed; all validation must be enforced server-side
- Overly permissive CORS — Access-Control-Allow-Origin: * is appropriate for public APIs; never combine it with Allow-Credentials: true
Tip
Tip
Practice How the Web Works Security Perspective in small, isolated examples before integrating into larger projects. Breaking concepts into small experiments builds genuine understanding faster than reading alone.
The CIA Triad is the foundation of information security
Practice Task
Note
Practice Task — (1) Write a working example of How the Web Works Security Perspective from scratch without looking at notes. (2) Modify it to handle an edge case (empty input, null value, or error state). (3) Share your solution in the Priygop community for feedback.
Quick Quiz
Common Mistake
Warning
A common mistake with How the Web Works Security Perspective is skipping edge case testing — empty inputs, null values, and unexpected data types. Always validate boundary conditions to write robust, production-ready cybersecurity code.
Key Takeaways
- Before exploiting or defending web applications, you must deeply understand how they work at the HTTP level.
- SOP is the browser's most important security mechanism: a web page can only access resources from the same origin (protocol + domain + port)
- Same origin: https://app.example.com:443 and https://app.example.com:443/api — same origin
- Different origin: http://app.example.com (different protocol), https://api.example.com (different subdomain), https://app.example.com:8080 (different port)