Interview kitsBlog

Your dream job? Lets Git IT.
Interactive technical interview preparation platform designed for modern developers.

XGitHub

Platform

  • Categories

Resources

  • Blog
  • About the app
  • FAQ
  • Feedback

Legal

  • Privacy Policy
  • Terms of Service

© 2026 LetsGit.IT. All rights reserved.

LetsGit.IT/Categories/Security
Securitymedium

Explain XSS, CSRF, and SSRF, and one mitigation for each.

Tags
#xss#csrf#ssrf#web-security
Back to categoryPractice quiz

Answer

XSS injects scripts into a page; mitigate with output encoding and CSP. CSRF tricks a browser into sending a trusted request; mitigate with CSRF tokens and SameSite cookies. SSRF makes a server request internal resources; mitigate with allowlists and network egress controls.

Advanced answer

Deep dive

  • XSS: attacker executes scripts in user context (stored, reflected, DOM).
  • CSRF: attacker causes a victim browser to send a trusted request.
  • SSRF: server is tricked to call internal services or metadata endpoints.

Key mitigations:

  • XSS: output encoding, CSP, avoid unsafe HTML, use HttpOnly cookies.
  • CSRF: SameSite cookies + CSRF tokens for state-changing requests.
  • SSRF: strict allowlists, block internal IP ranges, validate DNS + resolved IPs.

Examples

Minimal CSP header for XSS mitigation:

Content-Security-Policy: default-src 'self'; script-src 'self'

Common pitfalls

  • Sanitizing input but forgetting to encode output.
  • Relying only on Referer for CSRF protection.
  • Allowlisting hostnames without checking resolved IPs (DNS rebinding).

Interview follow-ups

  • When can CSRF still happen with SameSite=Lax?
  • How do you protect image fetchers from SSRF?
What is DOM-based XSS and why is it tricky?