Application Security · 7 modules

Web Security

Understand how the web is attacked and defended — the browser security model, cross-site attacks like XSS and CSRF, SSRF and IDOR, security headers such as CSP, modern authentication with passkeys, and threat modeling. Built from MDN's web security documentation and made to stick with spaced repetition.

flashcards
108
flashcards
per day
~10 min
per day
level
Beginner → Intermediate
level
modules
7
modules
About this topic

What is web security?

Web security is the practice of protecting websites and their users from attack — understanding how a browser isolates one origin from another, how attackers get around those defenses, and which headers, policies and authentication mechanisms close the gaps. This track is built from MDN's web security documentation, the freshly rewritten reference that maps each attack to the defenses that stop it.

The deck follows the structure of the field itself. The browser security model covers origins, the same-origin policy, secure contexts and subresource integrity. Cross-site attacks covers XSS, CSRF, clickjacking, XS-Leaks and prototype pollution, while server and ecosystem attacks covers phishing, manipulator-in-the-middle, SSRF, IDOR, subdomain takeover and supply chain. Security headers and policies covers CSP, CORP, referrer policy, cookie attributes and MIME sniffing.

The final modules move from mechanism to practice. Authentication covers password storage, passkeys, one-time passwords, federated identity and session management; threat modeling covers assets, trust boundaries, STRIDE and risk response; and a set of applied practical scenarios asks you to diagnose a real incident and pick the fix. Spaced repetition turns a reference you skim once into judgement you apply in every review.

What you'll learn

7 modules, seed to bloom

Each module is a set of flashcards — 108 in total. Answer, review, and watch your knowledge grow from seed to full bloom.

Browser Security Model

Origins, same-origin policy, secure contexts, and integrity

15 cards

Cross-Site Attacks

XSS, CSRF, clickjacking, XS-Leaks, and prototype pollution

15 cards

Server & Ecosystem Attacks

Phishing, MITM, SSRF, IDOR, subdomain takeover, supply chain

15 cards

Security Headers & Policies

CSP, CORP, Referrer-Policy, nosniff, cookies, and robots.txt

15 cards

Authentication

Passwords, passkeys, OTP, federated identity, and sessions

15 cards

Threat Modeling

Assets, trust boundaries, STRIDE, and risk response

15 cards

Practical Tips

Applied web-security scenarios and how to respond

18 cards
Try before you plant

Sample questions

A taste of the real flashcards. Pick an answer, then reveal the explanation.

Sample · Web Security

What does the same-origin policy primarily restrict?

  • AScripts reading data from another origin — it blocks cross-origin access to responses and the DOM
  • BServers accepting requests from another origin — it rejects any inbound cross-site traffic
  • CBrowsers sending any request to another origin — it stops all cross-origin network calls
  • DUsers navigating links to another origin — it confines browsing to the initial site only
Permalink & share
Sample · Web Security

How does a cross-site request forgery (CSRF) attack work?

  • AA malicious page makes the victim's browser send an authenticated request to a target site
  • BA malicious page reads the victim's session cookie and replays it against the target site
  • CA malicious page injects a script into the target site that runs in the victim's session
  • DA malicious page intercepts the victim's request and rewrites it before it reaches the site
Permalink & share
Sample · Web Security

Why can a passkey not be used on a phishing look-alike domain?

  • AThe authenticator checks the request origin against the stored relying-party ID and refuses a mismatch
  • BThe browser warns the user that the domain is unfamiliar and cancels the sign-in automatically
  • CThe passkey is encrypted with the real domain's TLS certificate, which the fake site lacks
  • DThe private key is emailed to the registered address, so a look-alike site never receives it
Permalink & share
Sample · Web Security

What are the four key questions of threat modeling?

  • AWhat are we building, what can go wrong, what do we do about it, and did we do enough
  • BWho is the attacker, what is their budget, when will they strike, and where from
  • CWhich tool to run, which report to read, which bug to fix, and which to defer
  • DWhat to encrypt, what to hash, what to sign, and what to leave in plaintext
Permalink & share
How Gnoseed works

Learn it once, keep it for good

1

Answer a question

Each card is one practical concept with multiple options. Pick what you think is right.

2

Get the full answer

See the correct option plus a clear explanation, and a link to deeper docs when one is available.

3

Review at the right time

A spaced-repetition engine (SM-2 or FSRS) resurfaces each card just before you would forget it.

Why learn this

Why web security is worth your time

Attacks mapped to defenses

Every attack is paired with what actually stops it — XSS with output encoding and CSP, CSRF with tokens and SameSite, clickjacking with frame-ancestors.

Grounded in MDN

Drawn from Mozilla's newly rewritten web security docs, with every card linking to the exact MDN page for deeper reading.

Modern authentication

Passkeys, TOTP and federated identity — the phishing-resistant mechanisms replacing passwords, explained from first principles.

Review with confidence

Know why each answer is right and why the plausible alternatives are wrong — the judgement a real security review needs.

FAQ

Common questions

Who is this track for? +

Web developers, frontend and backend engineers, and anyone preparing for an appsec interview who wants to understand how the web is attacked and defended. It starts each topic from fundamentals but goes deep enough to be useful in real reviews.

How is this different from the Secure Coding track? +

Secure Coding takes the developer checklist angle across any stack. Web Security takes the browser-and-web angle from MDN — the same-origin policy, security headers, cross-site attacks and modern web authentication. They complement each other.

Which sources does it follow? +

The questions are built from MDN's web security documentation, covering attacks, defenses, authentication and threat modeling. Each card links to the corresponding MDN page.

Is it free? +

Yes, completely free. No registration or credit card is required, and all your progress is stored locally in your browser.

Ready to secure the web?

Plant your first seed today. Ten minutes a day builds the security instincts you'll reach for in every pull request.

Start learning free