Alpaca attack, slow loris attack and why timeouts are important

Web Security issues

Introduction

Browser End: Browser security e.g. Same Origin Policy – Isolate sites from each other, while running in the same browser.

Server End: Server-side security e.g. Attackers can run arbitrary HTTP clients; can send anything to server.

Client End: Client-side security e.g. Prevent user from being attacked while using web app locally.

User End: Protect the user from social engineering, from trackers, private data being leaked etc.

Modern web applications are built on a tangle of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. To keep users safe, it is essential for developers to confidently navigate this landscape.

It's is all too easy to criticize, lament, and create paranoid scenarios about the 'unsound security foundations' of the web. Truth is, all of that criticism is true, and yet the web has proven to be an incredibly robust platform.

HTTP

Client-server model - Client asks server for resource, server replies

Simple - Human-readable text protocol

Extensible - Just add HTTP headers

Transport protocol agnostic - Only requirement is reliability

Stateless - Two requests have no relation to each other

• "Stateless" means the HTTP protocol itself does not store state.
• If state is desired, is implemented as a layer on top of HTTP.

Every HTTP request has Request method, Headers, Body/Payload and HTTP response has Response Status code, Headers, Response Payload.

Various HTTP methods are there like GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS etc.