Session fixation, by most definitions, is a subclass of session hijacking.
Content Security Policy (CSP) is a new(ish) technology put together by Mozilla that Web apps can use as an additional layer of protection against Cross-Site Scripting (XSS). This protection against XSS is the primary goal of CSP technology.
Learn about what is CSRF and developing CSRF prevention design principles.
HTTP Strict Transport Security (HSTS) is a new(ish) technology that allows an application to force browsers to use only SSL/TLS (HTTPS, not HTTP) when they visit that application.
Session cookies (or, to Java folks, the cookie containing the JSESSIONID) are the cookies used to perform session management for Web applications.
Clickjacking prevention is a type of “Web framing” or “UI redressing” attack.
X-Frame-Options allows an application to specify whether or not specific pages of the site can be framed. This is meant to help prevent the clickjacking problem.
Please forgive the title, but today’s topic is something to be wary of if you write (or use) any access control / authorization type code in Web-based J2EE apps: HTTP URL path parameters.
These cookies hold the reference to the session identifier for a given user, and the same identifier − along with any session-scoped data related to that session id − is maintained server-side.
Error or exception handling is an important, but often ignored, part of any application. And although there’s a lot to be said on the topic I’m going to cover only a few of the most critical cases in J2EE Web applications.