Network Protection -- Firewalls and Zero Trust

Browser and Platform Security

Same-origin policy: Browser rule that restricts code from interacting with documents from different protocol, hostname, or port.
Origin: The tuple of protocol, hostname, and port that defines isolation boundaries.
iFrame isolation: Segregation of embedded pages so scripts cannot access each other's DOM unless origins match.
Document Object Model (DOM): In-browser object representation of HTML that scripts can modify and attackers can target via injection.

HTTPS (TLS): Encrypted channel providing confidentiality, integrity, and basic server authentication.
Secure cookie flag: Restricts cookies to HTTPS connections.
HttpOnly cookie flag: Prevents JavaScript from accessing cookies, mitigating XSS-based theft.
SameSite cookie attribute: Controls whether cookies are sent on cross-site requests.
Session ID: Server-generated identifier for maintaining an authenticated session.

Access-Control-Allow-Origin: Server directive that names which origins are allowed to read cross-origin responses.

Content Security Policy: A header that defines which content sources may be loaded by the browser.
frame-ancestors: CSP directive that controls which origins may embed a page.

Session hijacking: Attack where a stolen session ID is used to impersonate a user.
Session fixation: Attack where a victim is forced to use a session ID chosen by the attacker prior to login.
Inadequate session expiration: Sessions remain valid too long, allowing stolen IDs to be reused.

Stored XSS: Injection where malicious script is saved on the server and sent to all visitors.
Reflected XSS: Injection where user input is immediately echoed in a response and executed.
DOM-based XSS: Injection caused by client-side scripts inserting untrusted data into the DOM.
Output encoding: Context-specific escaping that prevents data from becoming executable code.

CSRF: Attack where a victim's browser makes authenticated requests without the user’s intent.
CSRF token: Unpredictable request token used to validate that a request originates from the legitimate site.
Origin/Referer validation: Server checks that a request originated from an approved site.

Clickjacking: Deceiving users into clicking hidden interface elements layered in transparent frames.
X-Frame-Options: Header that specifies whether a page may be framed and by whom.

SSRF: Attack that tricks a server into making internal or protected requests.

MIME sniffing: Browser action of inferring content type from data rather than headers.
X-Content-Type-Options: nosniff: Header that prevents MIME sniffing and forces strict interpretation of declared types.

Third-party cookies: Cookies set by embedded external domains to track users across sites.
Tracking pixel: Tiny image used to record visits or email opens.
Browser fingerprinting: Tracking technique that identifies a browser through its unique characteristics.

Homograph attack: Domain spoofing that uses visually similar Unicode characters.
Typosquatting: Registering misspelled versions of legitimate domains to lure victims.