# Introduction

**Useful links :**

*   XSS attacks [What is cross-site scripting (XSS) and how to prevent it? | Web Security Academy](https://portswigger.net/web-security/cross-site-scripting)
    
*   CSRF attacks [What is CSRF (Cross-site request forgery)? Tutorial & Examples | Web Security Academy](https://portswigger.net/web-security/csrf)
    
*   XSF attacks [Framing Attacks and Cross-frame scripting explained](https://crashtest-security.com/cross-frame-scripting-xfs/)
    
*   CSP basics [Content Security Policy (CSP) - HTTP | MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
    
*   X Frame options header [X-Frame-Options - HTTP | MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)
    
*   CSRF token [Cross-Site Request Forgery Prevention - OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)
    
*   XSS, CSRF and CSP vulnerabilities (lab root-me) [Challenges/Web - Client \[Root Me : Hacking and Information Security learning platform\]](https://www.root-me.org/en/Challenges/Web-Client/)
    
*   samesite cookie attribute [Set-Cookie - HTTP | MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value)
    

  

**TL;DR : Use the security built-in your framework, and do not use custom injection of code. Enable the different securities integrated in your framework, such as CSRF token.**  
**Deny all iframe, or scope it to trusted domains if needed**