🔐 Cyber Security
From HTTP to SQL injection — understand how the web works and how to keep it safe. Plain English explanations with quizzes.
HTTP & HTTPS
BeginnerHTTP (HyperText Transfer Protocol) is the language browsers and servers use to talk to each other. When you type a website address and press Enter, your browser sends an HTTP request; the server sends back an HTTP response containing the web page.
HTTPS adds a security layer called TLS (Transport Layer Security). It encrypts the conversation so nobody in the middle can read your passwords or credit-card numbers.
| Feature | HTTP | HTTPS |
|---|---|---|
| Port | 80 | 443 |
| Encryption | None | TLS |
| Padlock in browser | No | Yes |
| Safe for passwords? | No | Yes |
GET — fetch a page | POST — send data | PUT — update | DELETE — remove
If a site uses plain HTTP, attackers on the same network can perform a man-in-the-middle attack — reading or changing data before it reaches you.
Cookies
BeginnerA cookie is a small piece of data that a server sends to your browser. The browser stores it and sends it back with every future request to that site. This lets the site remember you — for example, keeping you logged in.
HttpOnly — JavaScript cannot read this cookie (stops XSS from stealing it)
Secure — only sent over HTTPS
SameSite — controls cross-site sending (helps prevent CSRF)
If a session cookie is stolen (via XSS or an insecure network) an attacker can use it to log in as you — without needing your password.
Sessions
BeginnerHTTP is stateless — each request is independent. Sessions solve this: when you log in, the server creates a session record and gives your browser a session ID (stored in a cookie). Every request sends that ID so the server knows who you are.
- 1
You send your username and password.
- 2
Server verifies them and creates a session record in its database.
- 3
Server sends back a session ID cookie.
- 4
Your browser sends the session ID on every request — the server looks it up and knows it is you.
- 5
When you log out, the server deletes the session record — the cookie becomes useless.
Always create a new session ID after login. Attackers exploit session fixation by planting a known ID before login, then using it after you authenticate.
APIs
BeginnerAn API (Application Programming Interface) is a set of rules that lets different software talk to each other. A web API usually works over HTTP — your app sends a request, the server responds with data (often in JSON format).
Broken object-level authorisation — an API returning /users/42 might also return /users/43 without checking permission.
Exposed keys — never put API keys in client-side code or public repositories.
Authentication
BeginnerAuthentication = proving who you are. Authorisation = what you are allowed to do. These are two different things — never mix them up!
| Method | How it works | Security |
|---|---|---|
| Password only | Username + password | Weak if reused |
| MFA / 2FA | Password + OTP or app | Much stronger |
| OAuth 2.0 | "Login with Google" | Delegates to trusted provider |
| Passkeys / WebAuthn | Biometric / hardware key | Phishing-resistant |
Always hash passwords with a slow algorithm (bcrypt, Argon2) — never store plain text. Enable MFA wherever possible.
DNS
BeginnerDNS (Domain Name System) is the internet's phone book. When you type google.com, DNS translates it into an IP address (like 142.250.185.46) so your computer knows where to connect.
- 1
You type
example.comin the browser. - 2
Your computer asks its DNS resolver (usually your ISP or 8.8.8.8).
- 3
The resolver finds the IP address and returns it.
- 4
Your browser connects to that IP address.
Attackers can inject fake DNS responses, pointing yourbank.com at an evil server. DNSSEC adds digital signatures to prevent this.
Hosting
BeginnerHosting means renting server space so your website is accessible on the internet 24/7. The server stores your files and sends them to visitors.
| Type | What it means | Best for |
|---|---|---|
| Shared hosting | Many sites on one server | Small sites, cheap |
| VPS | Virtual private server — your own slice | Growing sites |
| Dedicated server | Whole machine for you | High traffic, full control |
| Cloud (AWS, GCP…) | Scalable on demand | Modern apps |
| Static hosting (Netlify…) | Files served via CDN | Front-end only |
Keep server software updated. Exposed admin panels (e.g. phpMyAdmin on a public URL) are a common entry point for attackers.
Browsers
BeginnerBrowsers enforce many security rules to protect you. Understanding them helps you build safer websites.
A page at https://site-a.com cannot read data from https://site-b.com. This is the fundamental browser security rule — it stops malicious scripts from stealing data from other sites.
A server can tell the browser "only run scripts from these trusted sources". CSP is a powerful defence against XSS attacks.
CORS
IntermediateCORS (Cross-Origin Resource Sharing) allows a server to say "I accept requests from this other origin". Without it, the Same-Origin Policy blocks all cross-origin requests.
Setting Access-Control-Allow-Origin: * together with Access-Control-Allow-Credentials: true lets any website make authenticated requests to your API — a critical security flaw.
Only list the specific origins you trust. Never use * with credentials.
JWT (JSON Web Tokens)
IntermediateA JWT is a compact token that proves your identity without the server needing to store sessions. It has three parts separated by dots: Header, Payload, and Signature.
The server signs the token with a secret key. Anyone can read the payload (it is base64, not encrypted!) but cannot change it without invalidating the signature.
Algorithm confusion — changing "alg":"HS256" to "alg":"none" to skip verification.
Weak secret — short secrets can be brute-forced.
Sensitive data in payload — never store passwords in a JWT payload.
Reverse Proxies
IntermediateA reverse proxy sits in front of your servers and forwards client requests to the right one. Users see only the proxy — your real servers are hidden.
Load balancing — spread traffic across multiple servers
SSL termination — handle HTTPS so backend servers do not have to
Caching — serve cached responses for speed
WAF — block malicious requests before they reach your app
DDoS protection — absorb and filter attack traffic
Misconfigured reverse proxies can expose internal services. Always validate the Host header and restrict which backends can be accessed.
SQL Injection
AdvancedSQL Injection (SQLi) is one of the most dangerous and common web vulnerabilities. It happens when user input is placed directly into a SQL query without sanitisation.
Always use prepared statements / parameterised queries. The database treats user input as data, never as SQL code.
XSS (Cross-Site Scripting)
AdvancedXSS lets an attacker inject malicious JavaScript into a web page that other users view. The script runs in the victim's browser, where it can steal cookies, redirect users, or deface the page.
Escape output — convert < > into HTML entities before displaying user data.
Use a Content Security Policy header.
Set HttpOnly on session cookies so XSS cannot steal them.
CSRF (Cross-Site Request Forgery)
AdvancedCSRF tricks a logged-in user's browser into making an unwanted request to a site where they are authenticated. Because the browser automatically sends cookies, the server thinks the request is legitimate.
You are logged into your bank. An attacker sends you a link to a page that silently submits a POST to bank.com/transfer?to=attacker&amount=1000. Your browser includes your session cookie — the bank processes it.
CSRF tokens — a secret random value in every form that attackers cannot guess.
SameSite cookie flag — set to Strict or Lax.
Check the Origin/Referer header on sensitive requests.
Authentication Flaws
AdvancedEven correct password checking can be broken by poor implementation. These flaws allow attackers to bypass or abuse the login process.
| Flaw | What happens | Fix |
|---|---|---|
| No account lockout | Unlimited password guesses (brute force) | Lock after N fails + CAPTCHA |
| Verbose errors | "Username not found" reveals valid usernames | Generic: "Invalid credentials" |
| Insecure forgot-password | Predictable tokens or no expiry | Random token, short expiry, one-time use |
| Plain-text passwords | Database breach = all passwords exposed | bcrypt / Argon2 hashing |
| No MFA | Stolen password = full access | Require second factor |
IDOR (Insecure Direct Object Reference)
IntermediateIDOR happens when an application uses a user-supplied value (like an ID in the URL) to access objects without checking the user has permission.
Always check on the server that the currently logged-in user owns or has permission to access the requested object. Never trust IDs from the URL alone.
File Upload Vulnerabilities
AdvancedFile upload features are high-risk. If not properly restricted, an attacker can upload a malicious file (e.g. a web shell) and execute it on the server.
An attacker uploads a PHP file. If the server executes PHP in the upload folder, the attacker gains remote code execution — full control of the server.
✓ Validate file extension AND MIME type server-side
✓ Rename uploaded files (random name, strip dangerous extensions)
✓ Store files outside the web root
✓ Serve through a CDN or media server
✓ Set upload size limits
SSRF (Server-Side Request Forgery)
AdvancedSSRF tricks the server into making HTTP requests on behalf of the attacker — to internal services that should never be publicly accessible.
Validate and whitelist allowed URLs. Block requests to 127.0.0.1, 169.254.x.x, and internal RFC-1918 ranges. Use a separate outbound proxy with an allow-list.
Command Injection
AdvancedCommand injection happens when user input is passed to a system shell command without sanitisation, allowing the attacker to run arbitrary OS commands.
Never pass user input to shell commands. Use library functions instead — Python: pass a list to subprocess.run(), not a string. Strictly validate and whitelist if a shell call is unavoidable.
TCP/IP, Ports, Firewalls & SSH
BeginnerTCP/IP is the fundamental protocol stack for the internet. TCP ensures reliable, ordered delivery of data; IP handles routing packets between machines.
| Port | Protocol | Used for |
|---|---|---|
| 22 | SSH | Secure remote shell |
| 80 | HTTP | Web (unencrypted) |
| 443 | HTTPS | Web (encrypted) |
| 3306 | MySQL | Database |
| 5432 | PostgreSQL | Database |
A firewall filters traffic by rules — "allow port 443 from anywhere, block everything else". Software firewalls like ufw or iptables protect individual servers.
SSH lets you securely log into a remote server over an encrypted connection. Always use key-pair authentication and disable root login.
Command Line
BeginnerThe command line (terminal / shell) lets you control a computer by typing text commands. It is an essential skill for security professionals.
| Command | What it does |
|---|---|
ls / dir | List files in current folder |
cd path | Change directory |
cat file | Show file contents |
grep "text" file | Search for text in a file |
curl URL | Make an HTTP request |
netstat -tlnp | Show open ports and listening services |
ping host | Test network connectivity |
nmap -sV host | Scan ports and detect services |
whoami | Show current user |
sudo command | Run as administrator |
Commands like rm -rf / can destroy your system. Always understand a command before running it, especially with sudo.
🎯 Test Your Knowledge
21 questions — one per topic. See how much you have learned!