XSSCSRFSecurityCookiesCSPInput Sanitization

XSS & CSRF Basics

The two most common web security vulnerabilities every frontend developer must understand. XSS injects malicious scripts into your app. CSRF tricks the browser into making unauthorized requests. Both can compromise every user's account if left unprotected.

24 min read17 sections
01

Overview

XSS (Cross-Site Scripting) and CSRF (Cross-Site Request Forgery) are the two most common security vulnerabilities in web applications. XSS allows an attacker to inject malicious JavaScript that runs in a victim's browser — stealing tokens, hijacking sessions, or defacing the UI. CSRF tricks the victim's browser into making authenticated requests the user never intended.

They attack from different angles: XSS exploits the trust a user has in a website (the site serves malicious code). CSRF exploits the trust a website has in the user's browser (the browser sends cookies automatically). Understanding both — and how to prevent them — is non-negotiable for frontend developers.

In interviews, security questions separate senior candidates from juniors. "How would you prevent XSS in your app?" and "Explain CSRF and how SameSite cookies help" are common questions that test real-world understanding, not textbook definitions.

Why frontend developers must care

Security isn't just a backend concern. XSS is a frontend vulnerability — it happens because the frontend renders untrusted data. CSRF succeeds because the frontend uses cookies for authentication. Both are prevented (or caused) by frontend decisions.

1 / 17