[TOC]

资源

<白帽子讲Web安全>

Web security @MDN
https://developer.mozilla.org/en-US/docs/Web/Security

OWASP Cheat Sheet Series
https://cheatsheetseries.owasp.org/index.html

Cross-site scripting @Google
https://www.google.com/about/appsecurity/learning/xss/index.html

Using HTTP cookies
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
cookie的详细使用, 包括一些安全相关选项

前端安全系列 @美团技术团队
https://juejin.im/post/5bad9140e51d450e935c6d64
=> xss-game -> anwser

基本要求

私密, 完整, 可用

同源策略

host( 域名或IP )
子域名
端口
协议 ( https, http, ftp… )