A comprehensive guide to understanding web security concepts, terminology, and best practices. Click any section below to expand.
Search and browse security terms. Click on highlighted terms within definitions to jump to related concepts.
The complete address used to access a resource on the internet. Example: https://www.example.com:443/path/page.html?query=value. A URL includes the protocol, domain, optional port, path, and query parameters.
A human-readable address that identifies a website, like example.com. Domains are translated to IP addresses by the DNS system. Domains consist of a TLD (.com), second-level domain (example), and optional subdomains (www).
A prefix added to a domain name to organize or separate sections of a website. In blog.example.com, "blog" is the subdomain. Common subdomains include www, mail, api, and app.
The last segment of a domain name, appearing after the final dot. Examples: .com, .org, .net (gTLDs - generic), .uk, .de, .jp (ccTLDs - country code). Some TLDs like .bank or .gov have strict registration requirements.
A numerical label assigned to each device on a network. IPv4 addresses look like 192.168.1.1, while IPv6 addresses are longer: 2001:0db8:85a3::8a2e:0370:7334. IP addresses identify where to send network traffic.
Internet Protocol version 4, the fourth version of the Internet Protocol. Uses 32-bit addresses (e.g., 192.168.1.1), allowing approximately 4.3 billion unique addresses. Due to address exhaustion, IPv6 was developed.
Internet Protocol version 6, designed to replace IPv4. Uses 128-bit addresses (e.g., 2001:0db8:85a3::8a2e:0370:7334), providing a vastly larger address space. Recorded in AAAA records in DNS.
A numerical identifier (0-65535) that specifies a particular process or service on a server. Common ports: 80 (HTTP), 443 (HTTPS), 22 (SSH), 25 (SMTP). Ports allow multiple services to run on the same IP address.
A set of rules governing how data is transmitted over a network. Examples include HTTP/HTTPS for web traffic, SMTP for email, DNS for name resolution, and TLS for encryption.
The foundation protocol for data communication on the web. HTTP is unencrypted, meaning data can be intercepted and read. Modern websites should use HTTPS instead for security.
The secure version of HTTP, encrypted using TLS. HTTPS protects data in transit from eavesdropping and tampering. Indicated by a padlock icon in browsers and required for handling sensitive data.
Software that serves web pages to users' browsers. Common web servers include Apache, Nginx, and Microsoft IIS. Web servers handle HTTP/HTTPS requests and return HTML, CSS, JavaScript, and other files.
Software that retrieves and displays web pages. Browsers (Chrome, Firefox, Safari, Edge) interpret HTML, CSS, and JavaScript to render websites. They also enforce security features like CSP and CORS.
The internet's "phone book" that translates human-readable domain names into IP addresses. When you type a URL, DNS servers look up the corresponding IP address so your browser knows where to connect.
A DNS record that maps a domain name to an IPv4 address. Example: example.com → 93.184.216.34. Multiple A records can point to different IPs for load balancing.
A DNS record that maps a domain name to an IPv6 address. Similar to A records but for the newer IPv6 protocol.
A DNS record specifying which mail servers accept email for a domain. MX records have a priority value; lower numbers indicate higher priority. Essential for email delivery.
A DNS record that specifies which name servers are authoritative for a domain. NS records delegate DNS resolution to specific servers.
A DNS record that holds arbitrary text data. Commonly used for SPF, DKIM, DMARC email authentication, and domain ownership verification (Google, Microsoft, etc.).
A DNS record that creates an alias from one domain name to another. Example: www.example.com → example.com. Cannot coexist with other record types for the same name.
A DNS record containing administrative information about a DNS zone, including the primary name server, admin email, serial number, and refresh intervals.
A DNS record used for reverse DNS lookups—mapping an IP address back to a domain name. Important for email server verification and network diagnostics.
A DNS record specifying which Certificate Authorities are allowed to issue SSL certificates for a domain. Helps prevent unauthorized certificate issuance.
The duration (in seconds) that a DNS record can be cached before it must be refreshed. Lower TTLs mean faster propagation of changes but more DNS queries; higher TTLs reduce load but slow updates.
A server that handles DNS queries. Authoritative name servers hold the official records for a domain; recursive resolvers query other servers to find answers. Common providers: Cloudflare, AWS Route 53, Google DNS.
A set of extensions to DNS that add cryptographic signatures to DNS records, preventing DNS spoofing and cache poisoning attacks. Verifies that DNS responses haven't been tampered with.
An email authentication method using TXT records to specify which mail servers are authorized to send email for a domain. Helps prevent email spoofing. Works with DKIM and DMARC.
An email authentication method that adds a digital signature to outgoing emails. Recipients verify the signature using a public key published in DNS. Proves emails haven't been modified in transit.
An email authentication protocol that builds on SPF and DKIM. DMARC tells receiving servers what to do when authentication fails (none, quarantine, or reject) and provides reporting.
The standard protocol for sending emails across the internet. SMTP servers (port 25, 587, or 465) relay messages between mail servers. Works with MX records to route email.
A protocol for retrieving email that keeps messages on the server. Unlike POP3, IMAP syncs across multiple devices. Standard port: 993 (encrypted).
A protocol for retrieving email that typically downloads messages and removes them from the server. Simpler than IMAP but doesn't sync across devices. Standard port: 995 (encrypted).
The practice of sending emails with a forged sender address to make them appear to come from someone else. Used in phishing attacks. Prevented by SPF, DKIM, and DMARC.
The predecessor to TLS, now deprecated due to security vulnerabilities. The term "SSL" is still commonly used to refer to TLS encryption and SSL certificates.
A cryptographic protocol that provides secure communication over networks. TLS encrypts data between clients and servers, preventing eavesdropping. Used by HTTPS. Current version: TLS 1.3.
A digital certificate that authenticates a website's identity and enables encrypted connections. Issued by Certificate Authorities. Contains the public key, domain name, issuer, and validity period.
A trusted organization that issues SSL/TLS certificates. CAs verify domain ownership before issuing certificates. Examples: Let's Encrypt (free), DigiCert, Comodo, GlobalSign. Controlled by CAA records.
An SSL certificate signed by its own creator rather than a trusted CA. Browsers show warnings for self-signed certificates. Acceptable for internal/development use, not for public websites.
The hierarchy of certificates from your site's certificate up to a trusted root CA. Includes intermediate certificates. A broken chain causes browser warnings.
A system of public logs that record all issued SSL certificates. Allows domain owners to detect unauthorized certificates. Browsers require CT compliance for trusted certificates.
The process of converting readable data (plaintext) into an unreadable format (ciphertext) using an algorithm and key. Only those with the correct key can decrypt the data. Used by HTTPS, email, file storage, etc.
A one-way function that converts data into a fixed-size string (hash/digest). Unlike encryption, hashing cannot be reversed. Used for password storage, data integrity verification. Common algorithms: SHA-256, bcrypt.
A security header that forces browsers to only connect via HTTPS. Prevents protocol downgrade attacks and cookie hijacking. Example: Strict-Transport-Security: max-age=31536000; includeSubDomains
A security header that controls which resources (scripts, styles, images, etc.) a browser can load. Prevents XSS and data injection attacks by whitelisting trusted sources.
A security header that controls whether a page can be embedded in an iframe. Prevents clickjacking attacks. Values: DENY, SAMEORIGIN. Being replaced by CSP's frame-ancestors directive.
A security header that prevents browsers from MIME-sniffing (guessing content types). Set to nosniff to ensure browsers respect declared content types, preventing certain attacks.
A security header controlling how much referrer information is sent with requests. Options range from no-referrer (none) to unsafe-url (full URL). Recommended: strict-origin-when-cross-origin.
A security header (formerly Feature-Policy) that controls which browser features and APIs can be used. Example: disable geolocation, camera, microphone access to reduce attack surface.
A mechanism using HTTP headers to allow or restrict web pages from making requests to a different domain than the one serving the page. Controls cross-origin API access.
A security header that isolates a document's browsing context from cross-origin windows. Prevents cross-origin attacks that exploit window references. Values: same-origin, same-origin-allow-popups, unsafe-none.
A security header that controls loading of cross-origin resources. Setting require-corp only allows resources that explicitly grant permission. Required (with COOP) to use SharedArrayBuffer.
A security header that tells browsers who can load a resource. Values: same-site, same-origin, cross-origin. Protects resources from being embedded by unauthorized sites.
A social engineering attack where attackers impersonate legitimate entities to trick victims into revealing sensitive information like passwords or credit card numbers. Often uses email spoofing and fake websites.
A targeted form of phishing aimed at specific individuals or organizations. Attackers research their targets to craft convincing, personalized messages. More dangerous than generic phishing.
A vulnerability allowing attackers to inject malicious scripts into web pages viewed by other users. Can steal cookies, session tokens, or perform actions as the victim. Prevented by CSP and input sanitization.
An attack that tricks users into performing unintended actions on a site where they're authenticated. Example: clicking a link that transfers money. Prevented by CSRF tokens and SameSite cookie attributes.
An attack where malicious SQL code is inserted into application queries, allowing attackers to access, modify, or delete database data. Prevented by parameterized queries and input validation. One of OWASP Top 10.
An attack where the attacker secretly intercepts and potentially alters communications between two parties. Prevented by HTTPS/TLS encryption and certificate validation.
An attack that overwhelms a server with traffic from multiple sources, making it unavailable to legitimate users. Mitigated by CDNs, rate limiting, and DDoS protection services like Cloudflare.
An attack where a malicious site embeds your site in a hidden iframe, tricking users into clicking on it unknowingly. Prevented by X-Frame-Options or CSP frame-ancestors.
Registering domain names similar to legitimate ones (e.g., "gooogle.com" or "arnazon.com") to catch users who mistype URLs. Used for phishing or malware distribution. Also called URL hijacking.
Using characters that look similar (e.g., Cyrillic "а" vs Latin "a") to create deceptive domain names. Example: "аpple.com" (using Cyrillic а) looks identical to "apple.com". Browsers show punycode to combat this.
Manipulating people into divulging confidential information or performing actions. Exploits human psychology rather than technical vulnerabilities. Includes phishing, pretexting, baiting, and tailgating.
An attack that systematically tries all possible passwords or keys until finding the correct one. Mitigated by rate limiting, account lockouts, CAPTCHA, and strong password requirements.
When a subdomain points to an external service that's been decommissioned, attackers can claim that service and control the subdomain. Common with cloud services, GitHub Pages, Heroku.
Information collected from publicly available sources for intelligence purposes. In cybersecurity, this includes DNS records, WHOIS data, certificate transparency logs, and public threat feeds.
Evidence-based knowledge about existing or emerging threats. Includes indicators of compromise (IoCs), tactics, techniques, and procedures (TTPs). Sources: AlienVault OTX, VirusTotal, abuse.ch.
A weakness in software, hardware, or processes that can be exploited by attackers. Vulnerabilities are tracked using CVE identifiers and rated by severity (CVSS scores).
Code or technique that takes advantage of a vulnerability to compromise a system. Exploits can be used for unauthorized access, privilege escalation, or denial of service.
A standardized identifier for known security vulnerabilities. Format: CVE-YEAR-NUMBER (e.g., CVE-2021-44228 for Log4Shell). Maintained by MITRE Corporation.
A vulnerability that is unknown to the software vendor or has no available patch. "Zero days" refers to the number of days the vendor has known about it. Highly valuable to attackers.
A network security system that monitors and filters incoming and outgoing traffic based on security rules. Can be hardware or software-based. Controls access between trusted and untrusted networks.
A firewall specifically designed to protect web applications by filtering HTTP traffic. Blocks SQL injection, XSS, and other web attacks. Examples: Cloudflare WAF, AWS WAF, ModSecurity.
A service that creates an encrypted tunnel between your device and a server, protecting your traffic from eavesdroppers. Commonly used for privacy, bypassing geo-restrictions, and secure remote access.
An authentication method requiring two or more verification factors: something you know (password), something you have (phone/token), or something you are (biometrics). Significantly improves account security.
The process of verifying a user's identity—confirming they are who they claim to be. Typically done through passwords, MFA, certificates, or biometrics. Different from authorization.
The process of determining what an authenticated user is allowed to do—their permissions and access rights. Happens after authentication. Example: admin vs. regular user privileges.
A protocol and database for querying domain registration information: registrant, registrar, creation/expiration dates, and name servers. Being replaced by RDAP. Privacy services can mask registrant data.
The modern replacement for WHOIS. Provides domain registration data in a standardized, machine-readable format (JSON). Supports authenticated access and better internationalization.
A command-line tool for querying DNS servers. Used to look up A records, MX records, and other DNS information. Available on Windows, macOS, and Linux.
A flexible command-line tool for DNS queries, providing more detailed output than nslookup. Can query specific record types, trace resolution path, and check DNSSEC.
A network diagnostic tool that shows the path packets take to reach a destination, listing each hop (router) along the way. Useful for identifying network issues and understanding routing.
A network utility that tests connectivity by sending ICMP echo requests to a host and measuring response time. Basic network troubleshooting tool. Example: ping example.com
A command-line tool for transferring data using various protocols including HTTP/HTTPS. Useful for testing APIs, checking headers, and downloading files. Highly versatile for web debugging.
A distributed network of servers that delivers content to users from geographically closer locations, improving speed and reducing latency. Also provides DDoS protection. Examples: Cloudflare, AWS CloudFront, Akamai.
Email authentication prevents attackers from sending emails that appear to come from your domain. These protocols work together in layers to protect your domain's reputation, verify message integrity, and ensure secure transmission.
Email was designed in the 1970s without authentication—anyone could claim to send from any address. This fundamental flaw enables:
Attackers impersonate executives to request wire transfers or sensitive data
Phishers send fake invoices or login pages using your domain
Without authentication, legitimate emails may be marked as spam
SPF tells receiving mail servers which IP addresses are authorized to send email on behalf of your domain. It's the first line of defense against email spoofing.
When an email is received:
1. Receiving server extracts the domain from the "MAIL FROM" (envelope sender)
2. DNS returns the SPF record listing authorized senders
3. Server compares sending IP against the authorized list
4. Result: pass, fail, softfail, neutral, or none
SPF Record Syntax Explained:
v=spf1 ip4:192.0.2.0/24 include:_spf.google.com include:sendgrid.net -all │ │ │ │ │ │ │ │ │ └─ Policy for non-matches │ │ │ └─ Include SendGrid's SPF │ │ └─ Include Google's SPF record │ └─ Allow this IP range └─ SPF version (always v=spf1)
SPF Mechanisms:
| Mechanism | Purpose | Example |
|---|---|---|
ip4: | Match IPv4 address or range | ip4:192.168.1.1 or ip4:192.168.0.0/16 |
ip6: | Match IPv6 address or range | ip6:2001:db8::/32 |
a | Match domain's A record IP | a or a:mail.example.com |
mx | Match domain's MX record IPs | mx or mx:example.com |
include: | Include another domain's SPF | include:_spf.google.com |
redirect= | Use another domain's SPF entirely | redirect=_spf.example.com |
SPF Qualifiers (the prefix before mechanisms):
| Qualifier | Meaning | Recommendation |
|---|---|---|
+ (Pass) | IP is authorized (default if omitted) | Standard for authorized senders |
- (Fail) | IP is NOT authorized, reject | Use in -all after thorough testing |
~ (SoftFail) | IP is probably not authorized | Good for initial deployment: ~all |
? (Neutral) | No statement about the IP | Rarely used |
Common SPF Records for Popular Providers:
# Google Workspace v=spf1 include:_spf.google.com ~all # Microsoft 365 v=spf1 include:spf.protection.outlook.com ~all # Amazon SES v=spf1 include:amazonses.com ~all # Multiple providers (common real-world example) v=spf1 include:_spf.google.com include:servers.mcsv.net include:sendgrid.net ~all
include:, a, mx, redirect= counts as a lookup. Exceeding 10 causes a permanent error (permerror).DKIM adds a cryptographic signature to emails, proving the message hasn't been altered in transit and was authorized by the domain owner.
Signing (Outbound):
DKIM-Signature: headerVerification (Inbound):
selector._domainkey.domain.comThe signature proves:
DKIM Signature Header Example:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=example.com; s=selector1;
h=from:to:subject:date:message-id;
bh=base64hashOfBody==;
b=base64SignatureValue...
DKIM Parameters Explained:
| Tag | Meaning | Example |
|---|---|---|
v= | Version (always 1) | v=1 |
a= | Signing algorithm | a=rsa-sha256 |
d= | Signing domain | d=example.com |
s= | Selector (identifies key pair) | s=google or s=selector1 |
h= | Headers included in signature | h=from:to:subject |
bh= | Body hash | Base64 encoded hash |
b= | Signature value | Base64 encoded signature |
c= | Canonicalization (how to normalize) | c=relaxed/relaxed |
DKIM DNS Record:
# DNS Record Name: selector1._domainkey.example.com # DNS Record Value (TXT): v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
DMARC ties SPF and DKIM together, tells receivers what to do when checks fail, and provides visibility through reporting.
DMARC Alignment Check:
DMARC requires that the domain in the visible "From:" header aligns with:
This prevents attacks where SPF/DKIM pass for one domain but the "From:" shows a different domain.
DMARC passes if:
(SPF passes AND SPF aligns) OR (DKIM passes AND DKIM aligns)
Alignment Modes:
aspf=s, adkim=s): Exact domain match requiredaspf=r, adkim=r): Subdomains allowed (default)DMARC Record Syntax:
v=DMARC1; p=reject; sp=quarantine; pct=100; rua=mailto:dmarc@example.com; ruf=mailto:forensics@example.com; adkim=r; aspf=r │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ └─ SPF alignment mode │ │ │ │ │ │ └─ DKIM alignment mode │ │ │ │ │ └─ Forensic report address │ │ │ │ └─ Aggregate report address │ │ │ └─ Percentage of mail to apply policy to │ │ └─ Subdomain policy │ └─ Policy (none/quarantine/reject) └─ Version
DMARC Policies:
| Policy | Action | When to Use |
|---|---|---|
p=none |
Monitor only, deliver normally | Start here Collect data, identify legitimate senders |
p=quarantine |
Mark as suspicious (spam folder) | Phase 2 After reviewing reports |
p=reject |
Reject the message entirely | Final goal Maximum protection |
DMARC Implementation Path:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Review aggregate reports, identify all legitimate email sources, fix SPF/DKIM issues
v=DMARC1; p=quarantine; pct=25; rua=... then increase pct to 50, 100
v=DMARC1; p=reject; rua=...
MTA-STS forces other mail servers to use encrypted TLS connections when delivering email to your domain, preventing man-in-the-middle attacks and downgrade attacks on email transmission.
The Problem: Email transmission between servers (SMTP) traditionally used "opportunistic TLS"—servers try encryption but fall back to unencrypted if it fails. An attacker can:
The Solution: MTA-STS tells senders "you MUST use TLS with a valid certificate, or don't deliver at all."
Setting Up MTA-STS (2 components):
1. DNS Record:
# TXT record for _mta-sts.yourdomain.com v=STSv1; id=20240115120000
The id must change whenever you update the policy (use timestamp or version number).
2. Policy File (served via HTTPS):
Host this file at: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt
version: STSv1 mode: enforce mx: mail.yourdomain.com mx: backup-mail.yourdomain.com max_age: 604800
MTA-STS Modes:
| Mode | Behavior | Use Case |
|---|---|---|
testing | Report failures but still deliver | Initial deployment, validation |
enforce | Reject delivery if TLS fails | Production after testing |
none | Policy disabled | Temporarily disable without removing DNS |
mta-sts subdomain needs HTTPS configuredTLS-RPT provides reporting for MTA-STS (and DANE). It tells you when other servers have trouble establishing secure connections to your mail servers.
# TXT record for _smtp._tls.yourdomain.com v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.com
What TLS-RPT reports tell you:
BIMI displays your verified brand logo next to emails in supported mail clients (Gmail, Apple Mail, Yahoo). It requires DMARC enforcement and optionally a Verified Mark Certificate (VMC).
p=quarantine or p=reject, encouraging stronger email authenticationBIMI Prerequisites:
p=quarantine or p=rejectBIMI DNS Record:
# TXT record for default._bimi.yourdomain.com # Without VMC (works in Yahoo, some clients) v=BIMI1; l=https://example.com/brand/logo.svg # With VMC (required for Gmail) v=BIMI1; l=https://example.com/brand/logo.svg; a=https://example.com/brand/certificate.pem
| Protocol | DNS Record | Purpose | Priority |
|---|---|---|---|
| SPF | TXT @ v=spf1... |
Authorize sending IPs | Essential |
| DKIM | TXT selector._domainkey | Sign messages cryptographically | Essential |
| DMARC | TXT _dmarc | Policy + reporting | Essential |
| MTA-STS | TXT _mta-sts + HTTPS file | Enforce TLS for inbound mail | Recommended |
| TLS-RPT | TXT _smtp._tls | TLS failure reporting | Recommended |
| BIMI | TXT default._bimi | Brand logo display | Optional |
An attacker sends an email that passes SPF (sent from an authorized IP), but the "From:" header shows your CEO's email address while the envelope sender is a different domain. Will DMARC protect against this?
SSL/TLS certificates encrypt data between your users and your server, verify your server's identity, and are essential for any website handling sensitive information. Understanding how TLS works helps you configure it securely.
Data is encrypted in transit—attackers can't read intercepted traffic
Certificates prove server identity—users know they're talking to the real site
Messages can't be modified in transit without detection
Before encrypted communication begins, client and server perform a "handshake" to agree on encryption parameters and verify identities.
TLS 1.3 requires only 1 round trip (1-RTT):
ClientHello: Supported TLS versions, cipher suites, key share (for key exchange)
ServerHello: Chosen cipher suite, key share, certificate, finished message
Finished: Client confirms, encrypted application data begins
Browsers trust certificates because they're signed by trusted Certificate Authorities (CAs). This creates a chain:
Common mistake: Missing intermediate certificates cause "untrusted" errors on some devices but not others (depending on cached certificates).
| Type | Validation | Trust Indicator | Cost | Use Case |
|---|---|---|---|---|
| DV (Domain Validated) | Proves domain control only | Padlock icon | Free - $50/yr | Personal sites, blogs, most websites |
| OV (Organization Validated) | Verifies organization exists | Padlock (org in cert details) | $50 - $200/yr | Business websites |
| EV (Extended Validation) | Rigorous org verification | Padlock (org in cert details) | $150 - $500/yr | Banks, e-commerce (diminishing value) |
| Type | Covers | Example | Pros/Cons |
|---|---|---|---|
| Single Domain | One specific domain | www.example.com |
Simplest, most specific |
| Wildcard | All subdomains at one level | *.example.com |
Flexible, but if compromised all subdomains affected. Doesn't cover *.sub.example.com |
| SAN/UCC | Multiple specific domains | example.com, example.org, app.example.com |
Multiple unrelated domains on one cert. Must list each explicitly. |
Fundamentally broken. Never use.
Vulnerable to POODLE attack. Disabled by all modern browsers.
Vulnerable to BEAST. PCI-DSS non-compliant since 2018.
No known critical vulnerabilities, but deprecated by browsers in 2020.
Secure when configured properly. Still widely used for compatibility.
Faster (1-RTT), removes weak ciphers, mandatory forward secrecy. The modern standard.
A cipher suite is a combination of algorithms used for key exchange, authentication, encryption, and message integrity.
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 │ │ │ │ │ │ │ │ │ │ │ │ │ └─ MAC algorithm (integrity) │ │ │ │ │ └─ Key size │ │ │ │ └─ Mode (GCM = authenticated encryption) │ │ │ └─ Bulk encryption algorithm │ │ └─ Authentication (certificate type) │ └─ Key exchange algorithm └─ Protocol
Recommended Cipher Suites (Nginx):
ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; ssl_prefer_server_ciphers off; # Let client choose (TLS 1.3 doesn't use this)
| Contains | Problem | Example |
|---|---|---|
RC4 | Broken stream cipher | TLS_RSA_WITH_RC4_128_SHA |
DES / 3DES | Weak block cipher (64-bit blocks) | TLS_RSA_WITH_3DES_EDE_CBC_SHA |
MD5 | Broken hash function | Anything with MD5 |
EXPORT | Intentionally weakened for old regulations | TLS_RSA_EXPORT_WITH_* |
NULL | No encryption at all | TLS_RSA_WITH_NULL_SHA |
RSA key exchange | No forward secrecy | TLS_RSA_WITH_AES_128_CBC_SHA |
CBC mode | Vulnerable to padding oracle attacks (can be okay with TLS 1.2 mitigations) | *_CBC_* |
Certificate Transparency is a system where CAs must log all issued certificates publicly. This helps detect misissued or malicious certificates.
When a private key is compromised or a certificate is misissued, it must be revoked. Browsers check revocation status via:
| Method | How it Works | Pros/Cons |
|---|---|---|
| CRL (Certificate Revocation List) | Download list of all revoked certs from CA | Large downloads, infrequent updates, mostly abandoned |
| OCSP (Online Certificate Status Protocol) | Real-time query to CA for specific cert | Privacy concerns (CA knows what sites you visit), adds latency |
| OCSP Stapling | Server fetches OCSP response, includes in TLS handshake | Recommended Fast, private, but requires server configuration |
Enable OCSP Stapling (Nginx):
ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /path/to/chain.pem; # CA chain for verification resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s;
Let's Encrypt provides free, automated SSL certificates. Certbot is the recommended client.
Install and run Certbot for Nginx:
# Ubuntu/Debian sudo apt update sudo apt install certbot python3-certbot-nginx # Get certificate (auto-configures Nginx) sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com # Test auto-renewal sudo certbot renew --dry-run
Install and run Certbot for Apache:
# Ubuntu/Debian sudo apt update sudo apt install certbot python3-certbot-apache # Get certificate (auto-configures Apache) sudo certbot --apache -d yourdomain.com -d www.yourdomain.com # Test auto-renewal sudo certbot renew --dry-run
Standalone mode (no web server integration):
# Stop web server temporarily sudo systemctl stop nginx # Get certificate (Certbot runs its own server on port 80) sudo certbot certonly --standalone -d yourdomain.com -d www.yourdomain.com # Certificates saved to /etc/letsencrypt/live/yourdomain.com/ # - fullchain.pem (cert + intermediate) # - privkey.pem (private key) # Restart web server sudo systemctl start nginx
Always redirect HTTP to HTTPS. This ensures users who type your domain without https:// still get encrypted connections.
# Redirect all HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$host$request_uri;
}
# HTTPS server block
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# ... rest of config
}
# In .htaccess or VirtualHost config
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Or in Apache 2.4+ VirtualHost:
<VirtualHost *:80>
ServerName yourdomain.com
Redirect permanent / https://yourdomain.com/
</VirtualHost>
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name yourdomain.com;
# Certificate files
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# SSL/TLS settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Session settings
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off; # Disable for forward secrecy
# DH parameters (generate with: openssl dhparam -out /etc/nginx/dhparam.pem 2048)
ssl_dhparam /etc/nginx/dhparam.pem;
# HSTS (uncomment after testing)
# add_header Strict-Transport-Security "max-age=63072000" always;
# ... rest of server config
}
Why is "forward secrecy" important in TLS?
Security headers are HTTP response headers that instruct browsers how to behave when handling your content. They're your first line of defense against XSS, clickjacking, and many other client-side attacks—and they cost nothing to implement.
Even with secure server-side code, browsers need instructions on how to protect users. Without security headers:
Injected scripts execute freely without CSP restrictions
Your site can be invisibly embedded in malicious pages
Attackers can strip encryption without HSTS
Uploaded files can be misinterpreted as executable scripts
| Header | Protects Against | Priority |
|---|---|---|
| Content-Security-Policy | XSS, data injection, unauthorized scripts | Critical |
| Strict-Transport-Security | Protocol downgrade, SSL stripping, MITM | Critical |
| X-Frame-Options | Clickjacking | High |
| X-Content-Type-Options | MIME sniffing attacks | High |
| Referrer-Policy | Information leakage via referrer | Medium |
| Permissions-Policy | Unauthorized feature access (camera, mic, etc.) | Medium |
| Cross-Origin-Opener-Policy | Cross-origin window attacks (Spectre) | Medium |
| Cross-Origin-Resource-Policy | Unauthorized resource embedding | Low |
HSTS tells browsers to always use HTTPS for your domain, even if the user types http:// or clicks an HTTP link.
SSL Stripping Attack (without HSTS):
The attacker intercepts HTTP requests and proxies them to HTTPS, stripping encryption from the user's side. User sees no padlock but might not notice.
With HSTS:
Browser remembers "always use HTTPS for this site" and refuses to connect via HTTP, blocking the attack entirely.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload │ │ │ │ │ │ │ └─ Eligible for browser preload list │ │ └─ Apply to all subdomains │ └─ Remember for 1 year (in seconds) └─ Header name
HSTS Directives:
| Directive | Purpose | Recommendation |
|---|---|---|
max-age |
How long browser remembers (seconds) | Start with 300 (5 min), increase to 31536000 (1 year) |
includeSubDomains |
Apply to all subdomains | Use if ALL subdomains support HTTPS |
preload |
Request inclusion in browser preload lists | Submit to hstspreload.org after testing |
CSP is the most powerful security header. It tells browsers exactly which resources are allowed to load, effectively blocking most XSS attacks even if your code has vulnerabilities.
XSS Attack Scenario:
Attacker injects <script>stealCookies()</script> into a comment field.
Without CSP: Browser executes the script—cookies stolen.
With CSP script-src 'self': Browser checks if the inline script is allowed. It's not ('self' only allows scripts from your domain as files). Script is blocked, attack fails.
This is defense in depth: CSP protects users even when server-side validation fails.
CSP Directive Reference:
| Directive | Controls | Example Values |
|---|---|---|
default-src | Fallback for all resource types | 'self' |
script-src | JavaScript sources | 'self' https://cdn.example.com |
style-src | CSS sources | 'self' 'unsafe-inline' |
img-src | Image sources | 'self' data: https: |
font-src | Font sources | 'self' https://fonts.gstatic.com |
connect-src | AJAX, WebSocket, fetch | 'self' https://api.example.com |
media-src | Audio/video sources | 'self' |
object-src | Plugins (Flash, Java) | 'none' |
frame-src | Iframe sources | 'self' https://youtube.com |
frame-ancestors | Who can embed YOUR page | 'self' or 'none' |
form-action | Form submission targets | 'self' |
base-uri | Base URL for relative URLs | 'self' |
upgrade-insecure-requests | Auto-upgrade HTTP to HTTPS | (no value needed) |
CSP Source Values:
| Value | Meaning | Security |
|---|---|---|
'self' | Same origin only | ✓ Secure |
'none' | Block all | ✓ Most secure |
https://example.com | Specific origin | ✓ Secure |
https: | Any HTTPS origin | ⚠ Too permissive |
'unsafe-inline' | Allow inline scripts/styles | ✗ Defeats XSS protection |
'unsafe-eval' | Allow eval(), setTimeout(string) | ✗ Dangerous |
'nonce-xxx' | Allow specific inline with nonce | ✓ Secure alternative to unsafe-inline |
'sha256-xxx' | Allow specific inline by hash | ✓ Secure alternative to unsafe-inline |
'strict-dynamic' | Trust scripts loaded by trusted scripts | ✓ Modern approach |
A nonce (number used once) allows specific inline scripts while blocking injected ones:
1. Generate a random nonce per request (server-side):
$nonce = base64_encode(random_bytes(16)); // PHP example
2. Add nonce to CSP header:
Content-Security-Policy: script-src 'nonce-abc123RandomValue=='
3. Add same nonce to your inline scripts:
<script nonce="abc123RandomValue==">
// This script will execute
console.log("Allowed by nonce");
</script>
<script>
// This script (no nonce) will be BLOCKED
maliciousCode();
</script>
Example CSP Policies:
Strict Policy (best security, requires no inline scripts):
Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'none'; base-uri 'self'; upgrade-insecure-requests
Moderate Policy (allows common CDNs):
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self'; frame-ancestors 'self'; form-action 'self'; base-uri 'self'; object-src 'none'; upgrade-insecure-requests
Starter Policy (report-only, find what breaks):
Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; report-uri /csp-report-endpoint
Use Content-Security-Policy-Report-Only first to see violations without breaking your site.
Controls whether your page can be embedded in <iframe>, <frame>, or <object> elements. Prevents clickjacking attacks.
Attacker creates a page with an invisible iframe of your site positioned over a decoy button:
<!-- Attacker's page -->
<button>Click to win a prize!</button>
<iframe src="https://yourbank.com/transfer?to=attacker&amount=1000"
style="opacity: 0; position: absolute; top: 0;">
</iframe>
User thinks they're clicking "win a prize" but actually clicks the hidden bank transfer button.
# Block all framing X-Frame-Options: DENY # Allow same-origin framing only X-Frame-Options: SAMEORIGIN
frame-ancestors directive is the modern replacement with more flexibility, but X-Frame-Options is still needed for older browsers.
Prevents browsers from "sniffing" the MIME type, forcing them to respect the declared Content-Type.
Scenario: Your site allows file uploads. An attacker uploads a file named innocent.jpg but containing:
<script>alert('XSS')</script>
Without nosniff: Browser might ignore the Content-Type: image/jpeg header, detect HTML content, and execute the script.
With nosniff: Browser strictly follows the Content-Type header. File treated as image (won't render as HTML).
X-Content-Type-Options: nosniff
Controls how much URL information is sent in the Referer header when users navigate away from your site.
| Policy | Same Origin | Cross-Origin (HTTPS→HTTPS) | Downgrade (HTTPS→HTTP) |
|---|---|---|---|
no-referrer | None | None | None |
no-referrer-when-downgrade | Full URL | Full URL | None |
origin | Origin only | Origin only | Origin only |
origin-when-cross-origin | Full URL | Origin only | Origin only |
same-origin | Full URL | None | None |
strict-origin | Origin only | Origin only | None |
strict-origin-when-cross-origin | Full URL | Origin only | None |
# Recommended: full URL internally, origin only externally, nothing on downgrade Referrer-Policy: strict-origin-when-cross-origin
https://app.com/users/12345/settings to third-party analytics reveals user IDs.
Controls which browser features and APIs your page can use. Prevents embedded content from accessing sensitive capabilities.
# Disable sensitive features Permissions-Policy: geolocation=(), microphone=(), camera=(), payment=(), usb=() # Allow only same-origin to use geolocation Permissions-Policy: geolocation=(self) # Allow specific iframe to use camera Permissions-Policy: camera=(self "https://trusted-video-app.com")
Common Features to Restrict:
| Feature | Risk if Unrestricted | Recommended |
|---|---|---|
geolocation | Track user location | () unless needed |
camera | Access webcam | () unless needed |
microphone | Record audio | () unless needed |
payment | Access Payment Request API | () unless e-commerce |
usb | Access USB devices | () unless needed |
accelerometer | Motion tracking | () unless needed |
autoplay | Auto-play media (annoyance) | (self) |
These headers provide protection against side-channel attacks (like Spectre) and control how your resources interact with other origins.
Controls whether your page shares a browsing context group with cross-origin windows (opened via window.open or links).
# Isolate from cross-origin openers (security) but allow popups Cross-Origin-Opener-Policy: same-origin-allow-popups # Full isolation (breaks window.opener references) Cross-Origin-Opener-Policy: same-origin
Requires all resources to explicitly opt-in via CORS or CORP headers. Enables powerful features like SharedArrayBuffer.
# Require CORS/CORP for all subresources Cross-Origin-Embedder-Policy: require-corp # Credentialless mode (newer, more compatible) Cross-Origin-Embedder-Policy: credentialless
require-corp will break loading from CDNs (fonts, scripts) that don't set CORP headers. Only use if you self-host all resources or need SharedArrayBuffer.
Controls who can load YOUR resources (images, scripts, etc.).
# Only same-site can embed our resources Cross-Origin-Resource-Policy: same-site # Only same-origin (stricter) Cross-Origin-Resource-Policy: same-origin # Anyone can embed (for CDNs/public APIs) Cross-Origin-Resource-Policy: cross-origin
# /etc/nginx/conf.d/security-headers.conf (include in server blocks) # HTTPS enforcement add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # XSS and injection protection add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'self'; form-action 'self'; base-uri 'self'; object-src 'none'; upgrade-insecure-requests" always; # Clickjacking protection add_header X-Frame-Options "SAMEORIGIN" always; # MIME sniffing protection add_header X-Content-Type-Options "nosniff" always; # Referrer control add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Feature restrictions add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always; # Cross-origin isolation add_header Cross-Origin-Opener-Policy "same-origin-allow-popups" always; add_header Cross-Origin-Resource-Policy "same-site" always; # Remove server identification server_tokens off; more_clear_headers Server;
# .htaccess or Apache config
<IfModule mod_headers.c>
# HTTPS enforcement
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# XSS and injection protection
Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'self'; form-action 'self'; base-uri 'self'; object-src 'none'; upgrade-insecure-requests"
# Clickjacking protection
Header always set X-Frame-Options "SAMEORIGIN"
# MIME sniffing protection
Header always set X-Content-Type-Options "nosniff"
# Referrer control
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Feature restrictions
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()"
# Cross-origin isolation
Header always set Cross-Origin-Opener-Policy "same-origin-allow-popups"
Header always set Cross-Origin-Resource-Policy "same-site"
# Remove server identification
Header unset Server
Header always unset X-Powered-By
</IfModule>
# Hide Apache version
ServerTokens Prod
ServerSignature Off
In Cloudflare, use Transform Rules (Rules > Transform Rules > Modify Response Header):
# Add these as "Set static" rules: Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: geolocation=(), microphone=(), camera=() Cross-Origin-Opener-Policy: same-origin-allow-popups # For CSP, use Page Rules or Workers for complex policies
Which CSP directive would you use to prevent your site from being embedded in an iframe on another domain?
DNS (Domain Name System) is the internet's phone book, translating domain names to IP addresses. Because almost everything starts with a DNS lookup, DNS security is foundational—if attackers control your DNS, they control your traffic.
Understanding DNS resolution helps you understand where attacks can occur.
When you type www.example.com in your browser:
1. Browser Cache Check
2. OS Resolver
3. Recursive Resolver (ISP or 8.8.8.8)
4. Root Servers → TLD Servers → Authoritative Servers
5. Answer Returned
The authoritative server returns the IP, which flows back through the chain and is cached at each level.
| Record | Purpose | Example | Security Relevance |
|---|---|---|---|
| A | Maps name to IPv4 address | @ A 93.184.216.34 |
Primary target for hijacking |
| AAAA | Maps name to IPv6 address | @ AAAA 2606:2800:220:1::1 |
Don't forget IPv6 security |
| CNAME | Alias to another name | www CNAME example.com |
Subdomain takeover risk |
| MX | Mail server for domain | @ MX 10 mail.example.com |
Email security foundation |
| TXT | Text data (SPF, DKIM, verification) | @ TXT "v=spf1 ..." |
Email auth, domain verification |
| NS | Authoritative nameservers | @ NS ns1.provider.com |
Highest value target |
| CAA | Authorized Certificate Authorities | @ CAA 0 issue "letsencrypt.org" |
Prevents unauthorized certs |
| SOA | Start of Authority (zone metadata) | @ SOA ns1... admin... serial... |
Zone transfer info |
| PTR | Reverse lookup (IP → name) | 34.216.184.93.in-addr.arpa PTR ... |
Email deliverability, logging |
Attacker injects false DNS responses into a resolver's cache, redirecting users to malicious sites.
Defense: DNSSEC, use trusted resolvers
Dangling CNAME to decommissioned service (S3, Heroku) allows attacker to claim the subdomain.
Defense: Audit and remove unused DNS records
Attacker's domain initially resolves to their server, then "rebinds" to victim's internal IP (127.0.0.1), bypassing same-origin policy.
Defense: Validate Host headers, block private IPs in responses
Attacker gains access to your DNS provider account or compromises your registrar, changing your NS records.
Defense: Strong auth, registrar lock, monitoring
Unauthorized AXFR request reveals all DNS records, exposing internal infrastructure.
Defense: Restrict zone transfers to known IPs
Attacker spoofs victim's IP, sends small queries that generate large responses, overwhelming victim.
Defense: Rate limiting, response rate limiting (RRL)
The Scenario:
app.example.com hosted on Herokuapp CNAME example-app.herokuapp.comexample-app.herokuapp.comapp.example.com!What attackers can do:
*.example.comVulnerable Services:
CAA records specify which Certificate Authorities (CAs) are permitted to issue certificates for your domain. Without CAA, any CA can issue a certificate for your domain.
Without CAA:
With CAA:
# Allow only Let's Encrypt to issue certificates example.com. CAA 0 issue "letsencrypt.org" # Allow wildcard certificates only from Let's Encrypt example.com. CAA 0 issuewild "letsencrypt.org" # Report violations to your email example.com. CAA 0 iodef "mailto:security@example.com" # Block all CAs (use carefully!) example.com. CAA 0 issue ";"
CAA Tag Reference:
| Tag | Purpose | Example Value |
|---|---|---|
issue |
Authorize CA for regular certificates | "letsencrypt.org" or "digicert.com" |
issuewild |
Authorize CA for wildcard certificates | "letsencrypt.org" |
iodef |
Report policy violations | "mailto:security@example.com" |
letsencrypt.org, digicert.com, comodoca.com, sectigo.com, globalsign.com, amazonaws.com (ACM), pki.goog (Google Trust Services)
DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify that responses haven't been tampered with.
DNSSEC adds these record types:
| Record | Purpose |
|---|---|
| RRSIG | Signature for a record set (e.g., signs your A records) |
| DNSKEY | Public keys used to verify signatures |
| DS | Delegation Signer - links child zone to parent (chain of trust) |
| NSEC/NSEC3 | Proves a record doesn't exist (authenticated denial) |
Chain of Trust:
Each level vouches for the next via DS records. Resolvers start from the trusted root and verify each step.
Enabling DNSSEC:
dig +dnssec to confirm# Check DNSSEC status dig +dnssec example.com # Look for 'ad' flag (Authenticated Data) in response # ;; flags: qr rd ra ad; # Query for DNSKEY records dig DNSKEY example.com +short
Traditional DNS is unencrypted—anyone on the network path can see your queries. Encrypted DNS protocols protect privacy.
| Protocol | Port | Encryption | Detection |
|---|---|---|---|
| Traditional DNS | 53 (UDP/TCP) | None | Easily monitored/filtered |
| DNS over TLS (DoT) | 853 (TCP) | TLS | Dedicated port, can be blocked |
| DNS over HTTPS (DoH) | 443 (TCP) | HTTPS | Blends with web traffic, harder to block |
Benefits:
Concerns:
For enterprises: Consider deploying your own DoH resolver or explicitly configuring endpoints to use your DNS infrastructure.
Popular Public DoH/DoT Resolvers:
| Provider | DoH URL | DoT Hostname |
|---|---|---|
| Cloudflare | https://cloudflare-dns.com/dns-query |
1dot1dot1dot1.cloudflare-dns.com |
https://dns.google/dns-query |
dns.google |
|
| Quad9 | https://dns.quad9.net/dns-query |
dns.quad9.net |
TTL determines how long DNS resolvers cache your records. It's a balance between performance and flexibility.
| TTL | Value | Use Case | Trade-off |
|---|---|---|---|
| Very Short | 60-300 sec | During migrations, failover scenarios | More DNS queries, slightly slower |
| Short | 300-3600 sec | Dynamic environments, CDNs | Good balance for most sites |
| Long | 3600-86400 sec | Stable records (MX, NS) | Slow to update, but fewer queries |
You should know immediately if your DNS records change unexpectedly. Set up monitoring for:
| Item | Priority | Status Check |
|---|---|---|
| DNSSEC enabled | High | dig +dnssec yourdomain.com - look for ad flag |
| CAA records configured | High | dig CAA yourdomain.com |
| No dangling CNAMEs | High | Audit all CNAME records, verify targets exist |
| Registrar lock enabled | High | Check registrar control panel |
| 2FA on registrar/DNS accounts | Critical | Verify in account settings |
| Zone transfers restricted | Medium | dig AXFR yourdomain.com @ns1.provider.com should fail |
| SPF, DKIM, DMARC configured | Critical | See Email Security section |
Your company used to host shop.example.com on Shopify but cancelled the store. The CNAME record still points to shops.myshopify.com. What's the risk?
Understanding common threats helps you better protect your websites and recognize potential attacks.
Attackers send emails that appear to come from your domain to conduct phishing attacks.
Prevention: Implement SPF, DKIM, and DMARC.
When a subdomain points to a decommissioned external service, attackers can claim it.
Prevention: Audit DNS records and remove unused CNAME records.
Attackers inject malicious scripts into web pages that execute in users' browsers.
Prevention: Implement CSP headers, sanitize input, encode output.
Your site is embedded in a hidden iframe, tricking users into clicking on it.
Prevention: Set X-Frame-Options: DENY or use CSP frame-ancestors.
Attackers force a connection to use unencrypted HTTP instead of HTTPS.
Prevention: Implement HSTS and consider HSTS preloading.
Attackers register domains similar to yours for phishing (e.g., "examp1e.com").
Prevention: Register common misspellings, monitor for lookalikes.
These tools can help you assess and improve your website's security posture. Most are free, open-source, or offer free tiers for basic use.
Comprehensive domain security analysis including DNS, SSL, headers, and threat intelligence.
Use SiteSpecterAnalyze URLs and files against 70+ antivirus engines and blocklisting services.
Visit VirusTotalAnalyze websites in a safe, sandboxed environment with detailed reports and screenshots.
Visit URLScan.ioCheck if a URL is flagged as dangerous by Google's Safe Browsing service.
Safe Browsing CheckCommunity-driven clearinghouse for phishing data. Check and report phishing URLs.
Visit PhishTankAI-powered phishing URL scanner with real-time analysis and screenshots.
Visit CheckPhishDeep analysis of SSL/TLS configuration with detailed recommendations and grading.
Visit SSL LabsAnalyze your HTTP response headers and get a security grade.
Visit SecurityHeadersComprehensive website security scanner from Mozilla covering headers, TLS, and more.
Visit ObservatoryCertificate Transparency log search. Find all SSL certificates issued for a domain.
Visit crt.shGoogle's tool to evaluate Content Security Policy for weaknesses and bypasses.
CSP EvaluatorCheck email configuration including SPF, DKIM, DMARC, and blacklist status.
Visit MXToolboxDNS reconnaissance tool. Discover subdomains, MX, TXT, and other records.
Visit DNSDumpsterCollection of DNS tools including reverse IP, WHOIS, port scanner, and more.
Visit ViewDNSCheck DMARC, SPF, and DKIM records. Understand email authentication setup.
DMARC CheckHistorical DNS data, WHOIS, and subdomain enumeration. Free tier available.
Visit SecurityTrailsCommunity-driven threat intelligence with free access to indicators of compromise.
Visit OTXSearch engine for internet-connected devices. Find exposed services and vulnerabilities.
Visit ShodanAnalyze internet-wide scan and attack traffic. Identify benign vs malicious IPs.
Visit GreyNoiseIOC sharing platform from abuse.ch. Search malware indicators and C2 servers.
Visit ThreatFoxMalware sample sharing. Search hashes and download samples for analysis.
Visit MalwareBazaarOpen-source web application security scanner. Industry standard for pen testing.
Visit ZAPCommand-line tool for checking TLS/SSL ciphers, protocols, and vulnerabilities.
Visit testssl.shView historical snapshots of websites to investigate changes over time.
Visit Wayback MachineTechnology lookup tool. See what frameworks, CMS, and services a site uses.
Visit BuiltWithBrowser extension to identify technologies on websites. Free and open-source.
Visit WappalyzerFind email addresses associated with a domain. Useful for social engineering awareness.
Visit Hunter.ioOSINT tool for gathering emails, subdomains, hosts, and more from public sources.
View on GitHubSearch engine for leaked credentials and personal data. Useful for exposure checks.
Visit DeHashedMozilla's breach notification service powered by Have I Been Pwned.
Visit Firefox MonitorSearch engine for leaked data, darknet, and OSINT sources. Free tier available.
Visit IntelligenceXBuilt into every browser. Inspect network traffic, cookies, storage, and more.
Press F12Network protocol analyzer. Capture and inspect network traffic at the packet level.
Visit WiresharkDeepen your knowledge of web security with these trusted external resources from industry leaders and security organizations.
World's largest source for information security training and research.
SANS Reading RoomMozilla's comprehensive web security documentation covering CSP, CORS, HTTPS.
MDN SecurityEducational content about DNS, DDoS protection, SSL/TLS, and web security.
Cloudflare LearningFree, hands-on web security training with interactive labs.
Web Security AcademyIn-depth security news and investigation by journalist Brian Krebs.
Krebs on SecurityDaily cybersecurity news covering vulnerabilities, breaches, and research.
The Hacker News