Explain XSS, CSRF, and SSRF, and one mitigation for each.

Deep dive

• XSS: attacker executes scripts in user context (stored, reflected, DOM).
• CSRF: attacker causes a victim browser to send a trusted request.
• SSRF: server is tricked to call internal services or metadata endpoints.

Key mitigations:

• XSS: output encoding, CSP, avoid unsafe HTML, use HttpOnly cookies.
• CSRF: SameSite cookies + CSRF tokens for state-changing requests.
• SSRF: strict allowlists, block internal IP ranges, validate DNS + resolved IPs.

Examples

Minimal CSP header for XSS mitigation:

Content-Security-Policy: default-src 'self'; script-src 'self'

Common pitfalls

• Sanitizing input but forgetting to encode output.
• Relying only on Referer for CSRF protection.
• Allowlisting hostnames without checking resolved IPs (DNS rebinding).

Interview follow-ups

• When can CSRF still happen with SameSite=Lax?
• How do you protect image fetchers from SSRF?