Security Glossary
Essential web security terms explained. From CSP to XSS, understand the terminology that keeps websites safe.
Headers
- Content Security Policy (CSP)
- An HTTP header that controls which resources browsers can load, preventing XSS and data injection attacks by specifying allowed content sources. Learn more →
- CORS (Cross-Origin Resource Sharing)
- A mechanism that allows servers to specify which origins can access their resources, relaxing the Same-Origin Policy in a controlled way. Learn more →
- HSTS (HTTP Strict Transport Security)
- A security header that forces browsers to only connect via HTTPS, preventing protocol downgrade attacks and cookie hijacking. Learn more →
- Permissions-Policy
- Controls which browser features (camera, microphone, geolocation) can be used on a page, limiting potential attack surface. Learn more →
- Referrer-Policy
- Controls how much referrer information is sent when navigating from your site, protecting user privacy and preventing information leakage. Learn more →
- X-Content-Type-Options
- When set to 'nosniff', this header prevents browsers from MIME-sniffing responses, stopping MIME confusion attacks. Learn more →
- X-Frame-Options
- An HTTP header that controls whether a page can be embedded in iframes, protecting against clickjacking attacks. Learn more →
TLS
- Certificate Authority (CA)
- A trusted organization that issues SSL/TLS certificates after verifying domain ownership or organization identity. Learn more →
- Certificate Transparency (CT)
- A system that logs all SSL/TLS certificates, allowing domain owners to detect unauthorized certificates issued for their domains.
- Forward Secrecy
- A property of key exchange protocols where session keys cannot be compromised even if long-term keys are later exposed. Learn more →
- Mixed Content
- When an HTTPS page loads resources over HTTP, potentially compromising security. Active mixed content (scripts) is blocked by browsers. Learn more →
- OCSP Stapling
- A method where servers include certificate revocation status in the TLS handshake, improving performance and privacy over traditional OCSP. Learn more →
- SSL (Secure Sockets Layer)
- The predecessor to TLS. All SSL versions (2.0, 3.0) are now deprecated due to security vulnerabilities. When people say 'SSL', they usually mean TLS.
- SSL Certificate
- A digital certificate that authenticates a website's identity and enables encrypted connections. Despite the name, modern certificates use TLS. Learn more →
- TLS (Transport Layer Security)
- A cryptographic protocol that provides secure communication over networks. TLS 1.3 is the current standard, replacing the older SSL protocol. Learn more →
Attacks
- Clickjacking
- An attack where users are tricked into clicking hidden elements by overlaying a legitimate page in a transparent iframe. Learn more →
- CSRF (Cross-Site Request Forgery)
- An attack that tricks authenticated users into performing unwanted actions on a site they're logged into. Learn more →
- Man-in-the-Middle (MITM)
- An attack where an attacker secretly intercepts and possibly alters communication between two parties who believe they're communicating directly.
- Session Hijacking
- Stealing or predicting session tokens to gain unauthorized access to user accounts.
- SQL Injection
- An attack that inserts malicious SQL code into application queries, potentially accessing or modifying database contents.
- Subdomain Takeover
- When an attacker claims control of a subdomain by exploiting dangling DNS records pointing to deprovisioned services. Learn more →
- XSS (Cross-Site Scripting)
- An attack where malicious scripts are injected into trusted websites, executing in victims' browsers to steal data or perform actions.
DNS
- CAA (Certificate Authority Authorization)
- DNS records that specify which Certificate Authorities are allowed to issue certificates for a domain. Learn more →
- DKIM (DomainKeys Identified Mail)
- Email authentication that adds a cryptographic signature to messages, proving they haven't been tampered with and originated from the claimed domain. Learn more →
- DMARC
- A policy that builds on SPF and DKIM, telling receivers what to do with failed emails and providing reporting on authentication results. Learn more →
- DNSSEC
- Security extensions for DNS that provide cryptographic authentication of DNS data, preventing DNS spoofing attacks. Learn more →
- SPF (Sender Policy Framework)
- A DNS record that specifies which mail servers are authorized to send email for a domain, preventing email spoofing. Learn more →
General
- Defense in Depth
- A security strategy using multiple layers of protection, so that if one layer fails, others still provide security.
- Nonce
- A unique, random value used once to prevent replay attacks. In CSP, nonces allow specific inline scripts to execute.
- Principle of Least Privilege
- Giving users and systems only the minimum permissions needed to perform their functions, limiting potential damage from breaches.
- Same-Origin Policy
- A browser security mechanism that prevents scripts on one origin from accessing data on another origin, forming the foundation of web security.
- Security.txt
- A standard file (/.well-known/security.txt) that tells security researchers how to report vulnerabilities responsibly. Learn more →
- SRI (Subresource Integrity)
- A security feature that allows browsers to verify that fetched resources haven't been tampered with by checking cryptographic hashes. Learn more →
- Zero Trust
- A security model that requires verification for every access request, assuming no implicit trust based on network location.
Test Your Security Knowledge
Run a free security scan on your website to see these concepts in action.
Scan Your Website Free