## Security vs Authentication

Authentication:

    - control expected actions by your website visitors
    - Grant some visitors (e.g logged in visitors) more privileges than other

Web Security:

    - Prevent unexpected (potentially malicious) actions by visitors / other people
    - Prevent exposing data or granting unwanted access to certain actions or your code

## CSRF Attacks

    - Stands for: Cross Site Request Forgery:

    - An attack pattern where a malicious user creates a request that sends a request to your backend and causes some action that isn't suppose to happen.

    - Forged Request: Triggers action on your site's backend code

    - Usually involves user sessions

    - Example: A user logged into to a website where they are able to transfer money to users via email. A user can receive a link to a malicious website that resembles the authentic website and send money from there. Since the user is logged in, there could be an active session, so if they redirect to the original website(send a post request), they will be allowed.
    The fake website will send a post request to the original website but with other values inserted into the form. Can be done by creating hidden insert values with pre-defined email and amount to send. When the post request is handled by the original website, the user will think he send the money correctly.






## Same-Site Cookies

- Cookie configuration that can be set on the server-side where browsers also assume certain default values if it was not explicitly configured.

- Chrome browser uses **Lax** as a default configuration.

- Lax: cookies can be attached to requests that come from a different website but only if visited that website from the initial site. 
    - This can prevent the CSRF attack
    - Disabled in localhost. 
    - Safari and Fire-Fox don't use it as a default, therefore we should set it in our server-side code.

- This won't be full protection for all our users

- Not all users will use latest version of browsers that don't support Lax 

## Protecting Against CSRF Attacks

- **CSRF Token**: random looking string values that are generated on the server-side, only known by the server and are short-lived(for only one request response cycle).

- The tokens are injected into the templates that are rendered by the server(for example in a hidden input field) and then for incoming requests, the server checks wether such a valid token is part of the request.

- Since the tokens are only valid for one incoming request, and only exists in the official templates rendered by the server, the token's can't be guessed or faked. 

- Requests without a valid CSRF Token are blocked

- **For node express apps: csurf package is used**
    - input values containing csrf tokens, should have the name: name="_csrf" !
    - that's the name the csurf package will look for when the request is submitted
    - automatically done by csurf middleware

### In general, Any request that manipulates something on your backend (typically POST requests - but that's just the convention), should carry as CSRF Token!

## XSS Attacks

- Cross Site Scripting Attacks: Injecting malicious browser-side javascript code into the content of a website

- You can send javascript code from a comment section like an AJAX request to some route. The request will have the a valid session because it's coming from the official site so it would have a valid csrf token. 

## Protecting XSS Attacks

- Don't output + parse raw HTML content (if provided by users)

- Escaping user input: in express templating (<%= >)
    - using the **equal sign tag** above would escape and treat the input as plain text
    - if you are using a different templating engine, look up their escape tag

- Sanitize (clean) user input before processing & storing
    - 



## SQL Injection


**SQL**
    - Attacks that pass in malicious sql queries
    - Escape user input when processing
    - Most sql packages have built in protection

**NoSQL**
    - 