- inject javascript by CSS (background:url) and eval() function
- CSP is not your security strategy, CSP is a safty net
- X-Frame-Options: DENY
- use httpOnly
- be sceptical of JWT
- rel = "noopener noreferrer"
- use CSRF token
- blocking XSS
- be aware of encoding
- be careful with JSONP
- use CSP as a safty net
- stay up-to-date
never use Http
Set-Cookie: key=value; SameSite=Strict
Set-Cookie: key=value; HttpOnly
Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>
// Multiple directives are also possible, for example:
Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>; Secure; HttpOnly
https://expressjs.com/en/advanced/best-practice-security.html