1. Which of the following is the most effective way to prevent SQL Injection attacks?
A) Input sanitization
B) Using stored procedures
C) Using prepared statements and parameterized queries
D) Escaping special characters
β
Answer: C) Using prepared statements and parameterized queries
π‘ Explanation: Prepared statements ensure that user input is treated as data, not executable SQL, preventing SQL Injection attacks. Input sanitization and escaping characters help but are not foolproof.
2. What is the primary goal of secure coding practices in web applications?
A) To make the code more readable
B) To prevent unauthorized access and data breaches
C) To make development faster
D) To increase search engine ranking
β
Answer: B) To prevent unauthorized access and data breaches
π‘ Explanation: Secure coding aims to protect applications from vulnerabilities like SQL Injection, XSS, and authentication bypasses.
3. Which HTTP header helps prevent Clickjacking attacks?
A) X-Frame-Options
B) X-XSS-Protection
C) Content-Security-Policy
D) Strict-Transport-Security
β
Answer: A) X-Frame-Options
π‘ Explanation: X-Frame-Options can prevent the website from being embedded inside an iframe, blocking Clickjacking attacks.
4. What is the best way to store passwords securely?
A) Storing them in plain text in the database
B) Encrypting them using a reversible encryption algorithm
C) Hashing with a strong hashing algorithm and a unique salt
D) Storing them in an Excel file
β
Answer: C) Hashing with a strong hashing algorithm and a unique salt
π‘ Explanation: Storing passwords in plaintext is insecure. Strong hashing algorithms like bcrypt or Argon2, combined with salting, ensure passwords are stored securely.
5. Which OWASP vulnerability category does Insecure Direct Object References (IDOR) belong to?
A) Injection Attacks
B) Broken Access Control
C) Cross-Site Scripting (XSS)
D) Security Misconfiguration
β
Answer: B) Broken Access Control
π‘ Explanation: IDOR occurs when an application allows direct access to objects based on user input without proper authorization checks.
6. What is the best method to prevent Cross-Site Scripting (XSS) attacks?
A) Minifying JavaScript
B) Disabling JavaScript in the browser
C) Using output encoding and Content Security Policy (CSP)
D) Using strong passwords
β
Answer: C) Using output encoding and Content Security Policy (CSP)
π‘ Explanation: Output encoding ensures that user inputs are not executed as scripts. CSP helps restrict the execution of scripts from untrusted sources.
7. Why should security be considered during the software development lifecycle (SDLC)?
A) To prevent security issues before deployment
B) To reduce software costs
C) To make code easier to debug
D) To increase application speed
β
Answer: A) To prevent security issues before deployment
π‘ Explanation: Implementing security early in the SDLC reduces vulnerabilities and minimizes the cost of fixing security flaws post-deployment.
8. Which of the following is a principle of secure authentication?
A) Storing user passwords in plaintext
B) Implementing multi-factor authentication (MFA)
C) Using the same password for multiple accounts
D) Allowing unlimited login attempts
β
Answer: B) Implementing multi-factor authentication (MFA)
π‘ Explanation: MFA adds an extra layer of security by requiring multiple verification methods beyond just a password.
9. What is a common cause of security misconfigurations in web applications?
A) Using secure frameworks
B) Disabling unnecessary features
C) Leaving default settings and credentials unchanged
D) Using encrypted connections
β
Answer: C) Leaving default settings and credentials unchanged
π‘ Explanation: Default configurations often contain weak security settings that attackers can exploit.
10. What is the purpose of the “least privilege” principle in security?
A) To limit user permissions to only what is necessary
B) To increase application performance
C) To make debugging easier
D) To allow unrestricted access for administrators
β
Answer: A) To limit user permissions to only what is necessary
π‘ Explanation: The least privilege principle minimizes security risks by restricting users to only the permissions required for their tasks.
11. Which OWASP guideline helps prevent session hijacking?
A) Using JWT tokens
B) Implementing secure session cookies with HttpOnly and Secure flags
C) Storing session IDs in URLs
D) Allowing unlimited session lifetimes
β
Answer: B) Implementing secure session cookies with HttpOnly and Secure flags
π‘ Explanation: Secure flags prevent cookies from being accessed via JavaScript (HttpOnly) and ensure transmission over HTTPS (Secure).
12. What is Cross-Site Request Forgery (CSRF)?
A) A type of phishing attack
B) An attack that forces users to perform unwanted actions on a site where they are authenticated
C) A method to prevent SQL Injection
D) A way to secure APIs
β
Answer: B) An attack that forces users to perform unwanted actions on a site where they are authenticated
π‘ Explanation: CSRF exploits user authentication to perform malicious actions without user consent.
13. Which of the following best mitigates Insecure Deserialization attacks?
A) Only deserializing objects from trusted sources
B) Using JSON instead of XML
C) Compressing serialized data
D) Using longer encryption keys
β
Answer: A) Only deserializing objects from trusted sources
π‘ Explanation: Insecure deserialization can lead to remote code execution. Validating and restricting input sources reduces risk.
14. How can API security be improved?
A) Disabling authentication for APIs
B) Using rate limiting and authentication mechanisms
C) Allowing all IP addresses unrestricted access
D) Exposing API keys in client-side code
β
Answer: B) Using rate limiting and authentication mechanisms
π‘ Explanation: API security should include authentication, authorization, rate limiting, and encryption.
15. What is the role of a Web Application Firewall (WAF)?
A) To prevent hardware failures
B) To block malicious traffic and protect web applications
C) To speed up website loading
D) To prevent brute force attacks only
β
Answer: B) To block malicious traffic and protect web applications
π‘ Explanation: WAFs help filter and block malicious HTTP requests targeting web applications.
16. What is the best way to secure sensitive data in transit?
A) Using HTTPS with TLS encryption
B) Sending data over plain HTTP
C) Encrypting data only at rest
D) Relying on user agreements
β
Answer: A) Using HTTPS with TLS encryption
π‘ Explanation: HTTPS ensures data is encrypted during transmission, preventing interception by attackers.
17. Which vulnerability does Content Security Policy (CSP) primarily mitigate?
A) SQL Injection
B) Cross-Site Scripting (XSS)
C) Cross-Site Request Forgery (CSRF)
D) Directory Traversal
β
Answer: B) Cross-Site Scripting (XSS)
π‘ Explanation: CSP restricts the execution of untrusted scripts, reducing XSS risks.
18. Which of the following measures helps prevent privilege escalation attacks?
A) Granting users administrative access by default
B) Implementing proper role-based access control (RBAC)
C) Storing credentials in environment variables
D) Allowing password reuse
β
Answer: B) Implementing proper role-based access control (RBAC)
π‘ Explanation: RBAC ensures that users only have the necessary permissions, reducing the risk of privilege escalation.
19. What is the best approach to prevent brute force attacks on authentication systems?
A) Implementing account lockout and rate limiting
B) Storing user passwords in plaintext
C) Disabling two-factor authentication
D) Allowing unlimited login attempts
β
Answer: A) Implementing account lockout and rate limiting
π‘ Explanation: Limiting login attempts and account lockout mechanisms prevent attackers from guessing passwords through brute force.
20. Which of the following is an example of an insecure coding practice?
A) Using hardcoded credentials in source code
B) Encrypting sensitive data before storing it
C) Implementing strong input validation
D) Using HTTPS for all communication
β
Answer: A) Using hardcoded credentials in source code
π‘ Explanation: Hardcoded credentials can be easily extracted from source code, leading to unauthorized access.
21. What is the main reason why security logging and monitoring are essential?
A) To comply with GDPR regulations
B) To detect and respond to security incidents in real time
C) To slow down application performance
D) To keep logs for debugging purposes only
β
Answer: B) To detect and respond to security incidents in real time
π‘ Explanation: Security logging allows organizations to track suspicious activities and detect breaches early.
22. Why should developers avoid using weak cryptographic algorithms?
A) They require more processing power
B) They are easily broken, exposing sensitive data
C) They increase development time
D) They do not support backward compatibility
β
Answer: B) They are easily broken, exposing sensitive data
π‘ Explanation: Weak encryption (e.g., MD5, SHA-1) is vulnerable to attacks and should be replaced with strong algorithms like AES and SHA-256.
23. Which technique is effective for mitigating XML External Entity (XXE) attacks?
A) Disabling external entity processing in XML parsers
B) Allowing unrestricted XML parsing
C) Using weak access control mechanisms
D) Storing XML files in unprotected directories
β
Answer: A) Disabling external entity processing in XML parsers
π‘ Explanation: Disabling external entity parsing prevents attackers from injecting and executing malicious XML payloads.
24. What is an effective defense against command injection attacks?
A) Using input validation and allowing only safe characters
B) Running commands with high privileges
C) Concatenating user input into system commands
D) Disabling firewall protection
β
Answer: A) Using input validation and allowing only safe characters
π‘ Explanation: Validating input prevents malicious code from being executed as system commands.
25. What should developers do to prevent session fixation attacks?
A) Allow users to reuse old session IDs
B) Regenerate session IDs after authentication
C) Use default session management settings
D) Store session IDs in URLs
β
Answer: B) Regenerate session IDs after authentication
π‘ Explanation: Regenerating session IDs upon login prevents attackers from hijacking a user’s session.
26. Why is it important to apply security patches promptly?
A) To improve application performance
B) To prevent exploitation of known vulnerabilities
C) To enhance search engine rankings
D) To allow users to bypass authentication
β
Answer: B) To prevent exploitation of known vulnerabilities
π‘ Explanation: Security patches fix vulnerabilities that attackers might exploit.
27. Which security mechanism helps prevent unauthorized API access?
A) API rate limiting and authentication
B) Using default API keys
C) Allowing unrestricted API access
D) Storing API keys in frontend JavaScript
β
Answer: A) API rate limiting and authentication
π‘ Explanation: Rate limiting prevents abuse, while authentication ensures only authorized users can access APIs.
28. How can Cross-Site WebSocket Hijacking (CSWH) be prevented?
A) Using WebSockets over HTTP
B) Implementing proper origin checks and authentication
C) Disabling WebSockets entirely
D) Allowing unrestricted cross-origin requests
β
Answer: B) Implementing proper origin checks and authentication
π‘ Explanation: WebSockets should enforce strict origin policies to prevent hijacking.
29. Which method is most secure for validating user input?
A) Blacklisting known bad inputs
B) Using regular expressions to enforce strict rules
C) Accepting all user input without validation
D) Storing user input directly in the database
β
Answer: B) Using regular expressions to enforce strict rules
π‘ Explanation: Input validation should use a whitelisting approach to ensure only safe input is accepted.
30. Why should error messages be handled carefully in secure coding?
A) They should contain full stack traces for debugging
B) They should expose minimal information to avoid leaks
C) They should always include database queries
D) They should be displayed in a pop-up alert
β
Answer: B) They should expose minimal information to avoid leaks
π‘ Explanation: Detailed error messages can reveal sensitive information to attackers.
31. What is the best way to prevent insecure deserialization vulnerabilities?
A) Allow only trusted sources to deserialize objects
B) Serialize user input without validation
C) Store serialized objects in plaintext
D) Use weak encryption to store objects
β
Answer: A) Allow only trusted sources to deserialize objects
π‘ Explanation: Restricting deserialization to trusted sources helps prevent malicious object injection.
32. How can insecure CORS configurations be exploited?
A) By allowing attackers to execute arbitrary scripts
B) By restricting all cross-origin requests
C) By blocking access to the application
D) By using only HTTPS
β
Answer: A) By allowing attackers to execute arbitrary scripts
π‘ Explanation: Misconfigured CORS can allow attackers to steal sensitive data via cross-origin requests.
33. Why is it essential to use security headers in web applications?
A) They prevent common security vulnerabilities like XSS and Clickjacking
B) They slow down web performance
C) They are required for JavaScript execution
D) They store user session data
β
Answer: A) They prevent common security vulnerabilities like XSS and Clickjacking
π‘ Explanation: Security headers like CSP, X-Frame-Options, and X-XSS-Protection help protect against various attacks.
34. What is the OWASP-recommended best practice for handling file uploads?
A) Allow all file types
B) Validate file type, size, and sanitize file names
C) Store uploaded files in an unrestricted directory
D) Execute uploaded files immediately
β
Answer: B) Validate file type, size, and sanitize file names
π‘ Explanation: Proper validation prevents malicious file uploads that could lead to RCE.
35. Why should session tokens be stored in secure cookies?
A) To prevent session hijacking through JavaScript attacks
B) To make it easier for attackers to steal session data
C) To improve website loading speed
D) To allow session tokens to be accessed by any script
β
Answer: A) To prevent session hijacking through JavaScript attacks
π‘ Explanation: Secure cookies prevent JavaScript from accessing session tokens, reducing the risk of session hijacking.
36. What is the primary security risk of allowing file uploads without validation?
A) Increased server storage usage
B) Users uploading inappropriate content
C) Attackers uploading malicious scripts or executables
D) Increased network traffic
β
Answer: C) Attackers uploading malicious scripts or executables
π‘ Explanation: Without proper validation, attackers can upload malicious files, leading to remote code execution (RCE) or server compromise.
37. What is an effective method to protect against Directory Traversal attacks?
A) Using absolute file paths for user uploads
B) Restricting input to prevent the use of ../ sequences
C) Allowing all file system operations
D) Storing files in an open-access directory
β
Answer: B) Restricting input to prevent the use of ../ sequences
π‘ Explanation: Directory Traversal attacks exploit improper input validation to access unauthorized files on the server.
38. How can a developer prevent unvalidated redirects and forwards?
A) Allowing all redirect URLs from user input
B) Using a whitelist of trusted redirect URLs
C) Encrypting all URLs
D) Allowing users to specify any redirect destination
β
Answer: B) Using a whitelist of trusted redirect URLs
π‘ Explanation: Unvalidated redirects can lead to phishing attacks. Whitelisting prevents unauthorized redirections.
39. What is the best way to protect against API key exposure?
A) Storing API keys in JavaScript files
B) Keeping API keys hardcoded in the frontend
C) Storing API keys securely in environment variables
D) Publishing API keys in public repositories
β
Answer: C) Storing API keys securely in environment variables
π‘ Explanation: Environment variables keep API keys secure and prevent unauthorized access.
40. Why is Cross-Origin Resource Sharing (CORS) important for web security?
A) It speeds up website performance
B) It allows cross-origin requests only when necessary
C) It ensures that all APIs are accessible from any origin
D) It disables security restrictions for web applications
β
Answer: B) It allows cross-origin requests only when necessary
π‘ Explanation: Properly configured CORS policies prevent unauthorized cross-origin requests that could lead to data theft.
41. What security issue arises from using insecure direct object references (IDOR)?
A) Unrestricted file downloads
B) Users accessing unauthorized data
C) Increased database storage usage
D) Slower application response times
β
Answer: B) Users accessing unauthorized data
π‘ Explanation: IDOR vulnerabilities allow attackers to manipulate references and access unauthorized resources.
42. Which security control helps protect against broken authentication vulnerabilities?
A) Storing user credentials in plaintext
B) Enforcing strong password policies and MFA
C) Allowing users to set any password without complexity rules
D) Using the same session ID for all users
β
Answer: B) Enforcing strong password policies and MFA
π‘ Explanation: Strong password policies and multi-factor authentication (MFA) enhance authentication security.
43. Why should developers avoid using eval() in JavaScript?
A) It makes the code harder to read
B) It can execute malicious scripts and lead to code injection attacks
C) It slows down application performance
D) It is not supported in modern browsers
β
Answer: B) It can execute malicious scripts and lead to code injection attacks
π‘ Explanation: eval() executes arbitrary code, making it a security risk for injection attacks.
44. Which of the following is a best practice for handling user-generated content?
A) Allowing all types of input without sanitization
B) Escaping and sanitizing user input before displaying it
C) Storing user input directly in the database without validation
D) Allowing script execution within user comments
β
Answer: B) Escaping and sanitizing user input before displaying it
π‘ Explanation: Escaping and sanitizing user input prevents XSS and injection attacks.
45. How does the HttpOnly cookie attribute improve security?
A) It prevents JavaScript from accessing the cookie
B) It allows cookies to be accessed by any script
C) It makes cookies expire immediately
D) It encrypts the cookie contents
β
Answer: A) It prevents JavaScript from accessing the cookie
π‘ Explanation: HttpOnly prevents client-side scripts from accessing cookies, reducing the risk of XSS-based session hijacking.
46. What should be done to secure RESTful APIs?
A) Implement authentication and authorization mechanisms
B) Expose all endpoints publicly
C) Disable HTTPS
D) Allow all IP addresses unrestricted access
β
Answer: A) Implement authentication and authorization mechanisms
π‘ Explanation: Secure APIs require authentication and authorization to prevent unauthorized access.
47. Why should developers avoid disclosing software version details in HTTP headers?
A) It helps users identify the software version
B) Attackers can use version details to exploit known vulnerabilities
C) It improves browser compatibility
D) It reduces server response time
β
Answer: B) Attackers can use version details to exploit known vulnerabilities
π‘ Explanation: Hiding software version details reduces the risk of attackers targeting known exploits.
48. What is a major risk of improper input validation in a web application?
A) Increased website traffic
B) Higher server maintenance costs
C) Vulnerability to injection attacks like SQLi and XSS
D) Improved user experience
β
Answer: C) Vulnerability to injection attacks like SQLi and XSS
π‘ Explanation: Improper input validation allows attackers to inject malicious code into the application.
49. Which practice helps prevent security misconfiguration in web applications?
A) Keeping default security settings unchanged
B) Regularly reviewing and updating security configurations
C) Allowing unrestricted administrative access
D) Using weak encryption settings
β
Answer: B) Regularly reviewing and updating security configurations
π‘ Explanation: Security settings should be periodically reviewed and updated to mitigate vulnerabilities.
50. What is the impact of using weak session management in web applications?
A) Increased website loading speed
B) Potential session hijacking and unauthorized access
C) Improved search engine rankings
D) Users being unable to log in
β
Answer: B) Potential session hijacking and unauthorized access
π‘ Explanation: Weak session management allows attackers to take over user sessions, leading to account compromise.
51. What is the primary benefit of using a Web Application Firewall (WAF)?
A) It protects against application-layer attacks such as SQL Injection and XSS
B) It replaces the need for secure coding practices
C) It improves the website’s loading speed
D) It allows unrestricted access to the application
β
Answer: A) It protects against application-layer attacks such as SQL Injection and XSS
π‘ Explanation: A WAF filters and monitors HTTP traffic, blocking malicious requests to prevent web application attacks.
52. How can developers prevent unauthorized API access?
A) By implementing API authentication and access control
B) By allowing unrestricted access to API endpoints
C) By storing API keys in JavaScript files
D) By using weak passwords for API authentication
β
Answer: A) By implementing API authentication and access control
π‘ Explanation: API authentication (OAuth, JWT, API keys) and access control prevent unauthorized access and API abuse.
53. What is an effective measure against a Cross-Site Request Forgery (CSRF) attack?
A) Using unique CSRF tokens in HTTP requests
B) Allowing users to submit requests without verification
C) Disabling authentication
D) Allowing cookies to be accessible via JavaScript
β
Answer: A) Using unique CSRF tokens in HTTP requests
π‘ Explanation: CSRF tokens help verify that requests are coming from authenticated users, preventing unauthorized actions.
54. Why should user passwords never be stored using reversible encryption?
A) It makes login faster
B) Encrypted passwords can be decrypted if an attacker gains access
C) It helps users remember their passwords
D) It improves user experience
β
Answer: B) Encrypted passwords can be decrypted if an attacker gains access
π‘ Explanation: Passwords should be hashed with strong algorithms (bcrypt, Argon2) instead of encrypted to prevent reversibility.
55. What should be done to secure API rate limits against abuse?
A) Implementing rate limiting and throttling mechanisms
B) Allowing unlimited API requests
C) Storing API keys in client-side code
D) Using weak API authentication
β
Answer: A) Implementing rate limiting and throttling mechanisms
π‘ Explanation: Rate limiting prevents excessive requests, reducing the risk of DDoS attacks and API abuse.
56. What is the risk of exposing sensitive error messages to users?
A) Attackers can gain insights into application vulnerabilities
B) Users can fix issues themselves
C) It improves debugging for developers
D) It has no impact on security
β
Answer: A) Attackers can gain insights into application vulnerabilities
π‘ Explanation: Error messages should be generic for users and detailed only in logs to prevent information disclosure.
57. What is the purpose of implementing Multi-Factor Authentication (MFA)?
A) To replace passwords
B) To require users to remember multiple passwords
C) To add an extra layer of security beyond just a password
D) To slow down the login process
β
Answer: C) To add an extra layer of security beyond just a password
π‘ Explanation: MFA requires multiple forms of authentication, such as a password and a one-time code, improving security.
58. Why should CORS policies be properly configured?
A) To prevent unauthorized cross-origin requests
B) To allow unrestricted API access from any origin
C) To increase website traffic
D) To disable browser security features
β
Answer: A) To prevent unauthorized cross-origin requests
π‘ Explanation: Misconfigured CORS can lead to data theft and API abuse by allowing attackers to make unauthorized requests.
59. Which of the following is the best approach to input validation?
A) Whitelisting known good inputs
B) Accepting all user input without validation
C) Blacklisting known bad inputs
D) Storing all input data in raw format
β
Answer: A) Whitelisting known good inputs
π‘ Explanation: Whitelisting ensures only valid and expected inputs are allowed, preventing many attacks like SQLi and XSS.
60. What should be done to prevent attackers from tampering with JWT tokens?
A) Use strong secret keys and sign tokens with a secure algorithm
B) Store JWT tokens in local storage
C) Use an insecure hashing algorithm
D) Allow JWT tokens to be modified by the client
β
Answer: A) Use strong secret keys and sign tokens with a secure algorithm
π‘ Explanation: JWTs should be signed with strong algorithms (HS256, RS256) and secured against tampering.
61. How can developers prevent security misconfigurations?
A) Regularly review and update application security settings
B) Leave default settings unchanged
C) Allow unrestricted administrative access
D) Disable security updates
β
Answer: A) Regularly review and update application security settings
π‘ Explanation: Security misconfigurations often expose sensitive data or allow unauthorized access, making regular updates crucial.
62. What is the risk of using weak cryptographic algorithms?
A) Increased security
B) Faster encryption speeds
C) Attackers can easily break the encryption
D) Stronger password protection
β
Answer: C) Attackers can easily break the encryption
π‘ Explanation: Weak algorithms (MD5, SHA-1) are vulnerable to attacks like hash collisions and brute force.
63. Why should security headers be implemented in web applications?
A) They help prevent common attacks like XSS and Clickjacking
B) They increase website speed
C) They replace the need for authentication
D) They allow unrestricted access to user data
β
Answer: A) They help prevent common attacks like XSS and Clickjacking
π‘ Explanation: Security headers like CSP, X-Frame-Options, and HSTS protect against various web attacks.
64. How can a web application prevent excessive resource consumption by attackers?
A) Implementing rate limiting and input validation
B) Allowing unlimited requests from any user
C) Disabling authentication
D) Using weak passwords
β
Answer: A) Implementing rate limiting and input validation
π‘ Explanation: Rate limiting and input validation help prevent DDoS attacks and resource exhaustion.
65. What is the primary risk of using default credentials in applications?
A) Attackers can easily gain unauthorized access
B) Users will have trouble remembering passwords
C) It improves system performance
D) It speeds up deployment
β
Answer: A) Attackers can easily gain unauthorized access
π‘ Explanation: Default credentials are well-known and often exploited, leading to unauthorized access.
66. What is an effective way to prevent privilege escalation attacks?
A) Enforcing the least privilege principle
B) Allowing users to escalate privileges automatically
C) Using hardcoded credentials
D) Disabling security logging
β
Answer: A) Enforcing the least privilege principle
π‘ Explanation: Users should only have the permissions necessary for their tasks, reducing privilege escalation risks.
67. Why should sensitive data be encrypted in transit and at rest?
A) To prevent unauthorized access and data leaks
B) To make applications load faster
C) To store larger amounts of data
D) To allow users to access it without authentication
β
Answer: A) To prevent unauthorized access and data leaks
π‘ Explanation: Encrypting data ensures that even if it is intercepted or stolen, it remains unreadable.
68. How can applications mitigate Server-Side Request Forgery (SSRF) attacks?
A) Restricting outbound requests to trusted sources
B) Allowing all network requests
C) Using weak input validation
D) Disabling authentication
β
Answer: A) Restricting outbound requests to trusted sources
π‘ Explanation: SSRF exploits unvalidated user input to make requests, often leading to internal network exposure.
69. Why is session expiration important?
A) It reduces the risk of session hijacking
B) It improves website speed
C) It prevents brute force attacks
D) It allows users to stay logged in indefinitely
β
Answer: A) It reduces the risk of session hijacking
π‘ Explanation: Session expiration limits the window of attack, making hijacked sessions less valuable.
71. What is the main security concern with failing to validate user-uploaded file extensions?
A) Files may be too large
B) Attackers can upload executable scripts or malware
C) Users may upload incorrect file types
D) Files may be difficult to download
β
Answer: B) Attackers can upload executable scripts or malware
π‘ Explanation: Without validating file types, attackers can upload malicious scripts that may be executed on the server.
72. Why is it recommended to disable directory listing on a web server?
A) To prevent attackers from accessing sensitive files
B) To reduce bandwidth usage
C) To improve website speed
D) To allow users to see all files
β
Answer: A) To prevent attackers from accessing sensitive files
π‘ Explanation: Directory listing exposes file structures, which can help attackers locate sensitive files and vulnerabilities.
73. How can developers protect against session hijacking attacks?
A) By regenerating session IDs upon login
B) By using weak session management
C) By allowing session IDs to be transmitted over HTTP
D) By storing session IDs in URLs
β
Answer: A) By regenerating session IDs upon login
π‘ Explanation: Regenerating session IDs upon authentication prevents attackers from hijacking old session tokens.
74. What is the primary benefit of implementing Content Security Policy (CSP)?
A) It prevents SQL Injection
B) It mitigates Cross-Site Scripting (XSS) attacks
C) It increases web page load speed
D) It allows execution of all inline scripts
β
Answer: B) It mitigates Cross-Site Scripting (XSS) attacks
π‘ Explanation: CSP restricts the execution of scripts, reducing the risk of XSS attacks.
75. What is the role of secure coding guidelines in software development?
A) To make development slower
B) To ensure applications follow security best practices
C) To replace the need for authentication
D) To eliminate the need for security testing
β
Answer: B) To ensure applications follow security best practices
π‘ Explanation: Secure coding guidelines help developers follow best practices to prevent security vulnerabilities.
76. What is the best way to prevent XML External Entity (XXE) attacks?
A) Disable DTD processing in XML parsers
B) Allow all external XML entities
C) Use plaintext instead of XML
D) Store XML files in a public directory
β
Answer: A) Disable DTD processing in XML parsers
π‘ Explanation: Disabling DTD processing prevents attackers from injecting external entities that can be exploited.
77. What is a major risk of allowing unrestricted file downloads in an application?
A) Users may download files too quickly
B) Attackers may exploit it to access sensitive system files
C) It may slow down the website
D) It allows users to download multiple files
β
Answer: B) Attackers may exploit it to access sensitive system files
π‘ Explanation: Unrestricted file access can allow attackers to download sensitive configuration or database files.
78. What is the purpose of the Secure flag in HTTP cookies?
A) To prevent cookies from being accessed over unencrypted HTTP connections
B) To allow JavaScript access to cookies
C) To prevent cookie expiration
D) To make cookies larger
β
Answer: A) To prevent cookies from being accessed over unencrypted HTTP connections
π‘ Explanation: The Secure flag ensures that cookies are only transmitted over HTTPS, preventing MITM attacks.
79. Why should developers avoid storing sensitive data in local storage?
A) Local storage is accessible to JavaScript and can be exploited by XSS attacks
B) Local storage does not support encryption
C) It makes applications load slower
D) It increases bandwidth consumption
β
Answer: A) Local storage is accessible to JavaScript and can be exploited by XSS attacks
π‘ Explanation: Local storage is vulnerable to XSS-based attacks, which can expose sensitive data.
80. What is the main security benefit of using a hashing algorithm like bcrypt for passwords?
A) It ensures passwords can never be decrypted
B) It allows passwords to be stored in plaintext
C) It makes password retrieval easier
D) It improves website performance
β
Answer: A) It ensures passwords can never be decrypted
π‘ Explanation: Hashing (bcrypt, Argon2) irreversibly transforms passwords, making them secure against breaches.
81. What is the risk of using hardcoded credentials in source code?
A) They can be easily extracted and misused by attackers
B) They make authentication faster
C) They improve API performance
D) They help in debugging
β
Answer: A) They can be easily extracted and misused by attackers
π‘ Explanation: Hardcoded credentials can be exposed in repositories, allowing unauthorized access.
82. Why should server software and libraries be updated regularly?
A) To fix security vulnerabilities and improve performance
B) To make debugging easier
C) To reset all application settings
D) To slow down development
β
Answer: A) To fix security vulnerabilities and improve performance
π‘ Explanation: Outdated software can contain known vulnerabilities that attackers can exploit.
83. Why should APIs require authentication and authorization?
A) To prevent unauthorized access and data leaks
B) To slow down API responses
C) To allow open access to all users
D) To increase API costs
β
Answer: A) To prevent unauthorized access and data leaks
π‘ Explanation: APIs should be secured to prevent unauthorized access, data breaches, and abuse.
84. What is the security risk of exposing detailed error messages?
A) Attackers can gain insights into vulnerabilities
B) It helps users debug their applications
C) It speeds up API responses
D) It improves server performance
β
Answer: A) Attackers can gain insights into vulnerabilities
π‘ Explanation: Detailed error messages can expose sensitive information, such as database structure or system details.
85. How can security misconfigurations be exploited?
A) Attackers can access sensitive data or gain unauthorized access
B) They slow down the website
C) They improve security
D) They enhance user experience
β
Answer: A) Attackers can access sensitive data or gain unauthorized access
π‘ Explanation: Misconfigured settings can expose applications to attacks, leading to data breaches or system compromise.
86. What is the best method to prevent brute-force attacks on user accounts?
A) Implement account lockout and CAPTCHA
B) Allow unlimited login attempts
C) Use short passwords
D) Disable logging
β
Answer: A) Implement account lockout and CAPTCHA
π‘ Explanation: Brute-force attacks can be mitigated by limiting failed attempts and using CAPTCHA.
87. What is a common attack vector for Server-Side Request Forgery (SSRF)?
A) Exploiting weak input validation in URL requests
B) Uploading large files
C) Using long passwords
D) Modifying CSS files
β
Answer: A) Exploiting weak input validation in URL requests
π‘ Explanation: SSRF exploits weaknesses in how applications handle external URL requests, often allowing attackers to access internal resources.
88. Why should default admin credentials be changed immediately?
A) Default credentials are well known and easily exploitable
B) They improve system performance
C) They enhance debugging
D) They are required for backups
β
Answer: A) Default credentials are well known and easily exploitable
π‘ Explanation: Attackers often target default admin credentials to gain unauthorized system access.
89. What is a primary security risk of using third-party libraries without vetting them?
A) They may contain vulnerabilities that attackers can exploit
B) They slow down application performance
C) They improve security by default
D) They prevent brute-force attacks
β
Answer: A) They may contain vulnerabilities that attackers can exploit
π‘ Explanation: Third-party libraries may have known vulnerabilities that could expose applications to attacks like Remote Code Execution (RCE) and Dependency Confusion.
90. How can Clickjacking attacks be prevented?
A) By using the X-Frame-Options header
B) By enabling JavaScript debugging
C) By allowing all cross-origin requests
D) By storing session IDs in URLs
β
Answer: A) By using the X-Frame-Options header
π‘ Explanation: Clickjacking occurs when a malicious site overlays a trusted site to trick users. The X-Frame-Options header prevents embedding the site in an iframe.
91. What is the impact of failing to implement proper logging and monitoring?
A) Security incidents may go undetected
B) It increases application speed
C) It helps users reset their passwords
D) It prevents brute-force attacks
β
Answer: A) Security incidents may go undetected
π‘ Explanation: Without logging and monitoring, security breaches, unauthorized access, and data leaks may remain undetected.
92. Why should APIs avoid returning excessive information in error responses?
A) Attackers may use error messages to gather sensitive system details
B) It helps users debug their API calls
C) It improves API response speed
D) It prevents database corruption
β
Answer: A) Attackers may use error messages to gather sensitive system details
π‘ Explanation: Overly detailed error messages can reveal database structure, stack traces, or security configurations, aiding attackers in exploiting vulnerabilities.
93. What is an effective way to prevent Broken Access Control vulnerabilities?
A) Implementing strict role-based access control (RBAC)
B) Using simple passwords
C) Allowing users to access all resources
D) Storing authentication tokens in JavaScript
β
Answer: A) Implementing strict role-based access control (RBAC)
π‘ Explanation: RBAC ensures that users only have access to the resources they are authorized to use, preventing unauthorized access.
94. What is the primary risk of allowing auto-complete for password fields in web applications?
A) Passwords may be stored in the browser and stolen by attackers
B) It makes the login process faster
C) It helps users remember their passwords
D) It prevents session hijacking
β
Answer: A) Passwords may be stored in the browser and stolen by attackers
π‘ Explanation: Disabling auto-complete on password fields reduces the risk of credential theft via malware or session hijacking.
95. Why is it important to validate and sanitize user input in web applications?
A) To prevent injection attacks such as SQL Injection and Cross-Site Scripting (XSS)
B) To make the application load faster
C) To allow users to input any data they want
D) To prevent brute-force attacks
β
Answer: A) To prevent injection attacks such as SQL Injection and Cross-Site Scripting (XSS)
π‘ Explanation: Validating and sanitizing user input prevents malicious code execution, reducing attack vectors like SQLi and XSS.
96. What is a common security issue when using JSON Web Tokens (JWT)?
A) Storing JWTs in local storage without expiration control
B) Using strong cryptographic keys
C) Implementing token expiration and revocation mechanisms
D) Encrypting the JWT payload
β
Answer: A) Storing JWTs in local storage without expiration control
π‘ Explanation: Storing JWTs in local storage exposes them to XSS attacks, and failing to implement expiration and revocation increases the risk of token theft.
97. How can developers prevent HTTP Host Header Injection attacks?
A) By validating and rejecting untrusted host headers
B) By allowing any host header values
C) By storing user input in HTTP headers
D) By enabling CORS for all domains
β
Answer: A) By validating and rejecting untrusted host headers
π‘ Explanation: Attackers can manipulate host headers to route requests to malicious servers or conduct cache poisoning attacks, so proper validation is necessary.
98. What is the best way to prevent unauthorized access to database queries?
A) Using prepared statements and parameterized queries
B) Using dynamic SQL with concatenated strings
C) Allowing users to execute queries directly
D) Storing SQL queries in cookies
β
Answer: A) Using prepared statements and parameterized queries
π‘ Explanation: Prepared statements ensure user input is treated as data, preventing SQL Injection attacks.
99. Why is it important to use HTTPS instead of HTTP?
A) To encrypt data in transit and prevent Man-in-the-Middle (MITM) attacks
B) To speed up network traffic
C) To improve website caching
D) To allow search engines to crawl the website faster
β
Answer: A) To encrypt data in transit and prevent Man-in-the-Middle (MITM) attacks
π‘ Explanation: HTTPS uses TLS encryption to protect data in transit from eavesdropping, MITM attacks, and data tampering.
100. What is the primary reason for implementing security headers in web applications?
A) To mitigate common web vulnerabilities like XSS, Clickjacking, and MIME-type sniffing
B) To increase website speed
C) To replace firewall security
D) To allow unrestricted cross-origin access
β
Answer: A) To mitigate common web vulnerabilities like XSS, Clickjacking, and MIME-type sniffing
π‘ Explanation: Security headers (CSP, X-Frame-Options, HSTS, etc.) help protect applications from various web-based attacks.
101. What is the risk of failing to implement proper session timeout mechanisms?
A) Attackers can hijack inactive user sessions
B) Users have to log in frequently
C) It improves website performance
D) It prevents brute-force attacks
β
Answer: A) Attackers can hijack inactive user sessions
π‘ Explanation: Session timeout mechanisms ensure that unused sessions expire, reducing the risk of session hijacking and unauthorized access.
102. Why should secure defaults be implemented in software development?
A) To reduce security misconfigurations
B) To make debugging easier
C) To allow users to set their own security policies
D) To increase application speed
β
Answer: A) To reduce security misconfigurations
π‘ Explanation: Secure defaults ensure that applications are protected by default, minimizing the risk of unintended vulnerabilities.
103. What is the best way to protect against path traversal attacks?
A) Validate and sanitize user-supplied file paths
B) Allow users to access any file they request
C) Store files in an unprotected directory
D) Use hardcoded file paths in the code
β
Answer: A) Validate and sanitize user-supplied file paths
π‘ Explanation: Path traversal attacks exploit insecure file path handling, so proper validation is essential.
104. Why should password hints and security questions be avoided for account recovery?
A) They are often easy for attackers to guess
B) They improve user experience
C) They make password recovery faster
D) They prevent phishing attacks
β
Answer: A) They are often easy for attackers to guess
π‘ Explanation: Attackers can exploit publicly available information to guess security questions, making them an insecure method for password recovery.
105. What is a major security risk of exposing debug mode in a production environment?
A) It reveals sensitive system details and vulnerabilities
B) It speeds up application performance
C) It improves error tracking for users
D) It prevents denial-of-service attacks
β
Answer: A) It reveals sensitive system details and vulnerabilities
π‘ Explanation: Debug mode may expose stack traces, database queries, and system configurations, which can be exploited by attackers.
106. How can developers prevent insecure object references in APIs?
A) Implementing access control and object ID validation
B) Allowing users to access all objects
C) Storing API keys in client-side JavaScript
D) Using sequential object IDs
β
Answer: A) Implementing access control and object ID validation
π‘ Explanation: Insecure Direct Object References (IDOR) occur when API endpoints fail to enforce proper access control.
107. Why should cookies not be used to store sensitive user information?
A) Cookies can be intercepted and manipulated by attackers
B) They make login faster
C) They improve search engine ranking
D) They help users remember passwords
β
Answer: A) Cookies can be intercepted and manipulated by attackers
π‘ Explanation: Cookies are vulnerable to theft via XSS and MITM attacks, making them an insecure place for storing sensitive data.
108. What is the best way to prevent an attacker from tampering with URL parameters?
A) Using HMAC-signed or encrypted parameters
B) Allowing users to modify URL parameters freely
C) Storing sensitive data in the URL
D) Using weak encryption
β
Answer: A) Using HMAC-signed or encrypted parameters
π‘ Explanation: URL parameters can be tampered with, so signing or encrypting them ensures data integrity.
109. Why is proper error handling important in web applications?
A) To prevent attackers from gathering system information
B) To increase server response time
C) To help users debug issues
D) To allow unrestricted access to logs
β
Answer: A) To prevent attackers from gathering system information
π‘ Explanation: Improper error handling can reveal stack traces, SQL queries, or system details, aiding attackers.
110. What is a primary security risk of allowing unrestricted file execution on a server?
A) Attackers can execute malicious scripts and gain remote control
B) It makes the server respond faster
C) It improves user experience
D) It reduces resource consumption
β
Answer: A) Attackers can execute malicious scripts and gain remote control
π‘ Explanation: Unrestricted file execution can lead to Remote Code Execution (RCE) attacks, compromising the server.
111. What is the best practice for securely implementing OAuth authentication?
A) Using short-lived access tokens and refresh tokens
B) Hardcoding client secrets in JavaScript
C) Allowing users to bypass authentication
D) Using the same token indefinitely
β
Answer: A) Using short-lived access tokens and refresh tokens
π‘ Explanation: Short-lived access tokens limit exposure, and refresh tokens can be used to generate new ones securely.
112. How can developers prevent log forging attacks?
A) Sanitizing user input before writing it to logs
B) Allowing users to modify log files
C) Storing logs in plaintext files
D) Allowing log messages from untrusted sources
β
Answer: A) Sanitizing user input before writing it to logs
π‘ Explanation: Log forging allows attackers to manipulate logs, making sanitization necessary to maintain log integrity.
113. Why should CORS policies not be set to Access-Control-Allow-Origin: * in production?
A) It allows unauthorized cross-origin access to APIs
B) It speeds up API responses
C) It improves caching efficiency
D) It prevents CSRF attacks
β
Answer: A) It allows unauthorized cross-origin access to APIs
π‘ Explanation: A wildcard CORS policy exposes APIs to abuse, as any website can make requests to them.
114. What is a major concern when using cloud-based storage services?
A) Data breaches due to misconfigured permissions
B) Increased website speed
C) Limited file storage capacity
D) Improved SEO ranking
β
Answer: A) Data breaches due to misconfigured permissions
π‘ Explanation: Cloud storage misconfigurations can expose sensitive data to unauthorized users.
115. Why should user permissions be reviewed regularly in an application?
A) To prevent privilege escalation and unauthorized access
B) To slow down application performance
C) To allow unrestricted access to all users
D) To remove authentication requirements
β
Answer: A) To prevent privilege escalation and unauthorized access
π‘ Explanation: Regular permission reviews ensure that users only have the access they need, preventing security risks.
116. How can web applications mitigate DNS Rebinding attacks?
A) Implementing same-origin policy and DNS pinning
B) Allowing unrestricted cross-origin requests
C) Using weak DNS records
D) Disabling HTTPS
β
Answer: A) Implementing same-origin policy and DNS pinning
π‘ Explanation: DNS Rebinding attacks trick browsers into making unauthorized requests, so DNS pinning helps prevent them.
117. Why should unused APIs and endpoints be disabled?
A) To reduce the attack surface and prevent exploitation
B) To improve search engine ranking
C) To make API requests faster
D) To allow more flexibility in authentication
β
Answer: A) To reduce the attack surface and prevent exploitation
π‘ Explanation: Unused APIs may contain security vulnerabilities, so disabling them minimizes risk.
118. What is a key reason why application logs should be protected?
A) To prevent attackers from tampering with logs and covering their tracks
B) To improve application performance
C) To allow unauthorized users to debug issues
D) To reduce database load
β
Answer: A) To prevent attackers from tampering with logs and covering their tracks
π‘ Explanation: Log integrity is critical for incident response and forensic analysis, ensuring attackers cannot erase or alter logs.
119. How can improper handling of file permissions create security risks?
A) Attackers may gain unauthorized access to sensitive files
B) It makes the file system run slower
C) It improves SEO rankings
D) It prevents system updates
β
Answer: A) Attackers may gain unauthorized access to sensitive files
π‘ Explanation: Improper file permissions can expose confidential data or allow attackers to modify critical system files.
120. Why should secure password reset mechanisms be enforced?
A) To prevent attackers from easily resetting user passwords
B) To make the reset process faster
C) To allow users to choose weak passwords
D) To improve site traffic
β
Answer: A) To prevent attackers from easily resetting user passwords
π‘ Explanation: Password reset mechanisms must be secure, requiring identity verification to prevent unauthorized password changes.
121. What is a common risk when using public Wi-Fi for authentication?
A) Man-in-the-Middle (MITM) attacks can intercept login credentials
B) It improves password strength
C) It speeds up website access
D) It increases session expiration time
β
Answer: A) Man-in-the-Middle (MITM) attacks can intercept login credentials
π‘ Explanation: Attackers can intercept login credentials on unsecured networks, so using VPNs and HTTPS is essential.
122. Why should developers avoid using wildcard (*) SSL/TLS certificates for all subdomains?
A) If one subdomain is compromised, all subdomains become vulnerable
B) It improves website speed
C) It simplifies certificate management
D) It eliminates the need for encryption
β
Answer: A) If one subdomain is compromised, all subdomains become vulnerable
π‘ Explanation: Wildcard certificates can increase risk, as one compromised subdomain could lead to a breach of all others.
123. What is a potential security risk when using API keys for authentication?
A) Exposing API keys in client-side code allows unauthorized access
B) API keys make authentication stronger
C) API keys cannot be compromised
D) API keys are encrypted by default
β
Answer: A) Exposing API keys in client-side code allows unauthorized access
π‘ Explanation: API keys should be kept confidential and stored securely (e.g., in environment variables, not in client-side code).
124. How can an application protect sensitive user data in case of a database breach?
A) Encrypting sensitive data at rest and in transit
B) Storing data in plaintext
C) Using weak hashing algorithms
D) Disabling authentication
β
Answer: A) Encrypting sensitive data at rest and in transit
π‘ Explanation: Encryption ensures that even if data is stolen, it remains unreadable to attackers.
125. What is the best way to secure admin login pages against brute-force attacks?
A) Implementing CAPTCHA and account lockout after failed attempts
B) Allowing unlimited login attempts
C) Using simple passwords
D) Disabling two-factor authentication (2FA)
β
Answer: A) Implementing CAPTCHA and account lockout after failed attempts
π‘ Explanation: Brute-force attacks can be mitigated using CAPTCHA, rate limiting, and account lockout mechanisms.
126. Why is it important to implement strict JSON Web Token (JWT) expiration policies?
A) To reduce the risk of session hijacking
B) To improve login speed
C) To allow long-term access without re-authentication
D) To enable unlimited token usage
β
Answer: A) To reduce the risk of session hijacking
π‘ Explanation: Long-lived JWTs can be stolen and misused, so short expiration times enhance security.
127. What security issue can arise from excessive permissions on cloud storage (e.g., AWS S3 buckets)?
A) Unauthorized users can access or modify sensitive files
B) It speeds up file access
C) It improves website ranking
D) It reduces API call latency
β
Answer: A) Unauthorized users can access or modify sensitive files
π‘ Explanation: Misconfigured cloud storage can lead to unauthorized access or data breaches, making proper access control essential.
128. How can Cross-Site WebSocket Hijacking (CSWH) be mitigated?
A) Implementing proper authentication and checking the origin header
B) Allowing all WebSocket connections
C) Using insecure transport mechanisms
D) Disabling authentication for WebSockets
β
Answer: A) Implementing proper authentication and checking the origin header
π‘ Explanation: CSWH exploits improperly validated WebSocket requests, so origin checks and authentication are required.
129. What is the danger of failing to implement proper session revocation mechanisms?
A) Users can remain logged in indefinitely, even after a password reset
B) It improves website performance
C) It prevents XSS attacks
D) It makes session management easier
β
Answer: A) Users can remain logged in indefinitely, even after a password reset
π‘ Explanation: Session revocation ensures that old or stolen sessions cannot be reused, reducing session hijacking risks.
130. Why should applications avoid storing payment card details directly?
A) To comply with PCI DSS regulations and reduce security risks
B) To increase transaction speeds
C) To improve SEO ranking
D) To allow customers to store multiple cards
β
Answer: A) To comply with PCI DSS regulations and reduce security risks
π‘ Explanation: Storing payment card data directly increases liability and security risks, so tokenization or external payment gateways should be used.
131. Why should a strong Content Security Policy (CSP) be used in modern web applications?
A) To prevent unauthorized execution of scripts and reduce XSS risks
B) To slow down page rendering
C) To increase JavaScript execution speed
D) To allow all types of third-party scripts
β
Answer: A) To prevent unauthorized execution of scripts and reduce XSS risks
π‘ Explanation: A strong CSP prevents the execution of untrusted scripts, mitigating Cross-Site Scripting (XSS) attacks.
132. How does implementing a security-first development approach benefit organizations?
A) It helps prevent security vulnerabilities from being introduced early in the SDLC
B) It makes development slower
C) It increases application size
D) It prevents data compression
β
Answer: A) It helps prevent security vulnerabilities from being introduced early in the SDLC
π‘ Explanation: A security-first approach ensures that security is integrated into every phase of development, preventing costly vulnerabilities.
133. Why is it important to enforce API access control mechanisms?
A) To prevent unauthorized users from accessing sensitive data
B) To make API requests faster
C) To allow unrestricted access to all users
D) To simplify authentication
β
Answer: A) To prevent unauthorized users from accessing sensitive data
π‘ Explanation: Access control mechanisms prevent unauthorized access to critical API endpoints and sensitive data.
134. Why should an application enforce account lockout after multiple failed login attempts?
A) To prevent brute-force attacks
B) To improve login speed
C) To allow users to retry passwords indefinitely
D) To reduce the need for authentication
β
Answer: A) To prevent brute-force attacks
π‘ Explanation: Account lockout prevents attackers from repeatedly guessing passwords, reducing brute-force attack risks.
135. How can an application securely store API tokens?
A) In environment variables or a secure vault
B) In client-side JavaScript files
C) In URL parameters
D) In plaintext database records
β
Answer: A) In environment variables or a secure vault
π‘ Explanation: API tokens should be stored securely (e.g., environment variables, vaults) to prevent exposure.
136. Why should user-generated content be sanitized before being displayed?
A) To prevent Cross-Site Scripting (XSS) attacks
B) To improve website speed
C) To allow all user input
D) To improve search rankings
β
Answer: A) To prevent Cross-Site Scripting (XSS) attacks
π‘ Explanation: Unsanitized user input can contain malicious scripts, leading to XSS attacks.
137. What is the main reason why session IDs should be long and randomly generated?
A) To prevent session fixation and brute-force attacks
B) To make session management easier
C) To improve website performance
D) To allow users to predict their session ID
β
Answer: A) To prevent session fixation and brute-force attacks
π‘ Explanation: Long, random session IDs reduce the likelihood of predictable session tokens, making hijacking difficult.
138. What is a major security concern when using WebSockets?
A) Lack of built-in authentication and cross-origin restrictions
B) Slow data transmission
C) Increased CPU usage
D) Weak encryption
β
Answer: A) Lack of built-in authentication and cross-origin restrictions
π‘ Explanation: WebSockets can be vulnerable to hijacking if authentication and origin checks are not implemented.
139. What is the purpose of implementing role-based access control (RBAC)?
A) To limit user permissions based on their role
B) To allow unrestricted access to all users
C) To improve search engine ranking
D) To prevent phishing attacks
β
Answer: A) To limit user permissions based on their role
π‘ Explanation: RBAC ensures users only have the access required for their role, preventing unauthorized actions.
140. Why should security patches be applied promptly?
A) To fix known vulnerabilities before attackers exploit them
B) To slow down application performance
C) To remove authentication mechanisms
D) To improve website SEO
β
Answer: A) To fix known vulnerabilities before attackers exploit them
π‘ Explanation: Delaying patches leaves applications exposed to known exploits, increasing security risks.
141. How does the HttpOnly cookie attribute improve security?
A) It prevents JavaScript from accessing cookies, reducing XSS risks
B) It encrypts cookies automatically
C) It disables cookies for authenticated users
D) It speeds up web page loading
β
Answer: A) It prevents JavaScript from accessing cookies, reducing XSS risks
π‘ Explanation: HttpOnly cookies are not accessible via JavaScript, reducing the risk of XSS-based session hijacking.
142. Why should user passwords be hashed instead of encrypted?
A) Hashing is a one-way function that prevents password retrieval
B) It makes authentication faster
C) It allows passwords to be decrypted easily
D) It improves database performance
β
Answer: A) Hashing is a one-way function that prevents password retrieval
π‘ Explanation: Hashing passwords (bcrypt, Argon2) ensures they cannot be reversed, unlike encryption.
143. Why should HTTP security headers like Strict-Transport-Security (HSTS) be used?
A) To enforce HTTPS connections and prevent MITM attacks
B) To speed up HTTP requests
C) To allow mixed-content loading
D) To disable TLS encryption
β
Answer: A) To enforce HTTPS connections and prevent MITM attacks
π‘ Explanation: HSTS ensures all communication happens over HTTPS, reducing the risk of downgrade attacks.
144. How can an application mitigate the risks of Insecure Deserialization?
A) By validating and restricting serialized objects
B) By allowing all object deserialization
C) By using weak cryptographic keys
D) By allowing users to modify serialized objects
β
Answer: A) By validating and restricting serialized objects
π‘ Explanation: Insecure deserialization can lead to remote code execution, so strict validation is required.
145. What is a key risk of using outdated third-party dependencies in applications?
A) Known vulnerabilities may be exploited by attackers
B) It increases website traffic
C) It speeds up application performance
D) It improves memory management
β
Answer: A) Known vulnerabilities may be exploited by attackers
π‘ Explanation: Old libraries may contain security flaws, making regular updates essential.
146. Why should error messages be generic for users?
A) To avoid revealing sensitive system information
B) To make debugging easier for attackers
C) To slow down server responses
D) To increase search engine rankings
β
Answer: A) To avoid revealing sensitive system information
π‘ Explanation: Detailed error messages can disclose security vulnerabilities, so only logs should contain detailed errors.
147. What is the best way to prevent unauthorized direct access to web application files?
A) Restricting direct access via proper file permissions and .htaccess rules
B) Storing sensitive files in public directories
C) Allowing all file types to be accessed
D) Using default server configurations
β
Answer: A) Restricting direct access via proper file permissions and .htaccess rules
π‘ Explanation: Configuring access control on sensitive files prevents direct access by attackers.
148. How can a web application prevent Cross-Site Script Inclusion (XSSI) attacks?
A) Using X-Content-Type-Options: nosniff header
B) Allowing all script sources
C) Disabling JavaScript execution
D) Using HTTP instead of HTTPS
β
Answer: A) Using X-Content-Type-Options: nosniff header
π‘ Explanation: The nosniff header prevents browsers from executing malicious script files, reducing XSSI risks.
149. What is the purpose of implementing security logging and monitoring?
A) To detect and respond to security incidents in real-time
B) To slow down website performance
C) To increase bandwidth consumption
D) To allow unrestricted access to logs
β
Answer: A) To detect and respond to security incidents in real-time
π‘ Explanation: Security logging helps detect suspicious activities, enabling timely responses to attacks.
150. Why should applications enforce Multi-Factor Authentication (MFA)?
A) To add an extra layer of security beyond passwords
B) To make authentication easier
C) To store user passwords in plaintext
D) To improve website speed
β
Answer: A) To add an extra layer of security beyond passwords
π‘ Explanation: MFA helps prevent unauthorized access, even if a user’s password is compromised.
151. Why should the use of eval() in JavaScript be avoided?
A) It allows execution of arbitrary code, leading to security vulnerabilities
B) It improves website performance
C) It speeds up script execution
D) It is required for modern JavaScript frameworks
β
Answer: A) It allows execution of arbitrary code, leading to security vulnerabilities
π‘ Explanation: eval() can execute untrusted input, leading to Cross-Site Scripting (XSS) and Remote Code Execution (RCE) risks.
152. What is the risk of using predictable session IDs in authentication systems?
A) Attackers can guess session tokens and hijack user sessions
B) It speeds up session management
C) It improves authentication reliability
D) It helps users log in faster
β
Answer: A) Attackers can guess session tokens and hijack user sessions
π‘ Explanation: Weak or predictable session IDs allow attackers to perform session fixation and hijacking attacks.
153. How can SQL Injection vulnerabilities be prevented?
A) By using parameterized queries and prepared statements
B) By concatenating user input into SQL queries
C) By allowing direct database access to all users
D) By disabling authentication
β
Answer: A) By using parameterized queries and prepared statements
π‘ Explanation: Parameterized queries separate SQL code from user input, preventing SQL Injection attacks.
154. What is the best way to prevent unauthorized changes to sensitive configuration files?
A) Restrict file permissions and use secure access controls
B) Store configuration files in a publicly accessible directory
C) Allow all users to modify configuration files
D) Disable logging for configuration changes
β
Answer: A) Restrict file permissions and use secure access controls
π‘ Explanation: Ensuring configuration files are protected with proper access controls prevents unauthorized modifications.
155. What type of attack does the X-Frame-Options HTTP header help prevent?
A) Clickjacking
B) SQL Injection
C) Cross-Site Scripting (XSS)
D) Brute-force attacks
β
Answer: A) Clickjacking
π‘ Explanation: The X-Frame-Options header prevents a webpage from being loaded inside an iframe, mitigating Clickjacking attacks.
156. Why should sensitive data never be stored in browser local storage?
A) It can be accessed by JavaScript and stolen via XSS attacks
B) It improves session persistence
C) It speeds up database queries
D) It helps improve website SEO
β
Answer: A) It can be accessed by JavaScript and stolen via XSS attacks
π‘ Explanation: Local storage is accessible to scripts, making it vulnerable to Cross-Site Scripting (XSS) attacks.
157. How does a Web Application Firewall (WAF) enhance security?
A) By filtering and blocking malicious web traffic
B) By improving website speed
C) By replacing the need for HTTPS
D) By preventing server crashes
β
Answer: A) By filtering and blocking malicious web traffic
π‘ Explanation: A WAF helps protect against common attacks like SQL Injection, XSS, and DDoS by analyzing and filtering web traffic.
158. Why is logging out of applications after a period of inactivity important?
A) To prevent session hijacking and unauthorized access
B) To increase website load time
C) To allow users to stay logged in indefinitely
D) To improve caching efficiency
β
Answer: A) To prevent session hijacking and unauthorized access
π‘ Explanation: Automatic session expiration reduces the risk of an attacker taking over an inactive session.
159. What is the security risk of failing to validate file uploads?
A) Attackers can upload malicious files and execute remote code
B) Users may upload too many images
C) It slows down the application
D) It increases bandwidth usage
β
Answer: A) Attackers can upload malicious files and execute remote code
π‘ Explanation: Validating file types and restricting uploads prevents attackers from uploading executable scripts.
160. Why should API endpoints avoid using incremental numeric IDs for records?
A) It makes Insecure Direct Object References (IDOR) easier to exploit
B) It improves database performance
C) It makes URL sharing easier
D) It speeds up API responses
β
Answer: A) It makes Insecure Direct Object References (IDOR) easier to exploit
π‘ Explanation: Using predictable IDs allows attackers to manipulate API requests to access unauthorized data.
161. What is the best way to prevent HTTP Parameter Pollution (HPP) attacks?
A) Enforcing strict parameter validation on the server-side
B) Allowing multiple duplicate parameters in requests
C) Using client-side validation only
D) Storing parameters in local storage
β
Answer: A) Enforcing strict parameter validation on the server-side
π‘ Explanation: HPP exploits improperly handled HTTP parameters, so validating and sanitizing input prevents this attack.
162. Why should developers avoid exposing stack traces to users?
A) Stack traces may reveal sensitive system details and vulnerabilities
B) It improves debugging for users
C) It speeds up page rendering
D) It helps in database indexing
β
Answer: A) Stack traces may reveal sensitive system details and vulnerabilities
π‘ Explanation: Attackers can use stack trace information to find exploitable weaknesses in the system.
163. How can an application defend against Cross-Site WebSocket Hijacking (CSWH)?
A) By implementing origin checks and authentication
B) By allowing all WebSocket connections
C) By disabling HTTPS
D) By using insecure transport methods
β
Answer: A) By implementing origin checks and authentication
π‘ Explanation: Validating origins and requiring authentication ensures WebSockets are not exploited by attackers.
164. What is the best practice for handling JWT expiration?
A) Setting a short expiration time and using refresh tokens
B) Using JWT tokens indefinitely
C) Allowing expired tokens to be reused
D) Storing JWTs in local storage
β
Answer: A) Setting a short expiration time and using refresh tokens
π‘ Explanation: Short-lived JWTs reduce security risks, while refresh tokens provide controlled access extension.
165. Why should error messages not disclose whether a username exists during login?
A) To prevent user enumeration attacks
B) To speed up authentication
C) To improve error handling
D) To allow users to reset their passwords easily
β
Answer: A) To prevent user enumeration attacks
π‘ Explanation: Revealing whether a username exists helps attackers identify valid accounts, making brute-force and phishing attacks easier.
166. How can applications prevent host header attacks?
A) By validating and restricting allowed host headers
B) By allowing all host headers
C) By using default configurations
D) By allowing user-generated host headers
β
Answer: A) By validating and restricting allowed host headers
π‘ Explanation: Host header attacks exploit improperly validated headers, potentially leading to cache poisoning and request smuggling.
167. What is the best way to prevent excessive API usage abuse?
A) Implementing rate limiting and API key authentication
B) Allowing unlimited requests
C) Disabling authentication
D) Using public API keys
β
Answer: A) Implementing rate limiting and API key authentication
π‘ Explanation: Rate limiting prevents excessive requests, reducing the risk of DDoS and API abuse.
168. What is the best way to prevent privilege escalation attacks?
A) Implementing the principle of least privilege (PoLP)
B) Allowing all users to run commands as root/admin
C) Storing credentials in publicly accessible files
D) Using weak authentication mechanisms
β
Answer: A) Implementing the principle of least privilege (PoLP)
π‘ Explanation: Users should only have the permissions necessary for their tasks, reducing privilege escalation risks.
169. Why should an application avoid using hardcoded API keys in source code?
A) Hardcoded keys can be extracted and misused by attackers
B) It speeds up API calls
C) It prevents brute-force attacks
D) It allows easy key rotation
β
Answer: A) Hardcoded keys can be extracted and misused by attackers
π‘ Explanation: Exposing API keys in source code makes them vulnerable to leaks, so secure vaults or environment variables should be used.
170. What is the security risk of using deprecated cryptographic algorithms like MD5 and SHA-1?
A) They are vulnerable to collision attacks, making hashes unreliable
B) They improve encryption speed
C) They reduce storage space
D) They increase system performance
β
Answer: A) They are vulnerable to collision attacks, making hashes unreliable
π‘ Explanation: MD5 and SHA-1 have known weaknesses, making them insecure for hashing sensitive data.
171. How does implementing Multi-Factor Authentication (MFA) improve security?
A) It requires multiple forms of verification, reducing unauthorized access risks
B) It replaces the need for passwords
C) It makes the login process slower
D) It prevents phishing attacks entirely
β
Answer: A) It requires multiple forms of verification, reducing unauthorized access risks
π‘ Explanation: MFA adds an extra layer of security, ensuring that an attacker needs more than just a password to gain access.
172. Why should CORS (Cross-Origin Resource Sharing) policies be configured carefully?
A) Misconfigured CORS can allow unauthorized websites to access sensitive data
B) CORS settings improve server performance
C) CORS settings reduce database load
D) CORS settings are required for caching
β
Answer: A) Misconfigured CORS can allow unauthorized websites to access sensitive data
π‘ Explanation: Improper CORS configurations can lead to unauthorized API access and data leakage.
173. What is the best practice for securely handling user authentication?
A) Using strong password policies and hashing credentials with bcrypt or Argon2
B) Storing passwords in plaintext
C) Allowing users to reuse old passwords
D) Using weak password policies
β
Answer: A) Using strong password policies and hashing credentials with bcrypt or Argon2
π‘ Explanation: Secure password storage and strong policies prevent credential-based attacks.
174. What is the risk of allowing users to set extremely weak passwords?
A) Attackers can easily guess or crack them using brute-force attacks
B) It improves user experience
C) It reduces server load
D) It speeds up authentication
β
Answer: A) Attackers can easily guess or crack them using brute-force attacks
π‘ Explanation: Weak passwords make accounts easy targets for brute-force and credential stuffing attacks.
175. How can an application prevent an XML External Entity (XXE) attack?
A) Disabling external entity processing in XML parsers
B) Allowing unrestricted XML parsing
C) Using only plaintext XML without validation
D) Allowing user-controlled XML inputs
β
Answer: A) Disabling external entity processing in XML parsers
π‘ Explanation: XXE vulnerabilities allow attackers to read system files or execute remote requests, so disabling external entities mitigates risk.
176. What is the security risk of allowing unrestricted file uploads?
A) Attackers can upload and execute malicious scripts
B) Users can upload large images
C) It slows down the website
D) It improves file access times
β
Answer: A) Attackers can upload and execute malicious scripts
π‘ Explanation: Unrestricted file uploads can lead to remote code execution (RCE) and data breaches.
177. Why should applications use HTTPS instead of HTTP?
A) To encrypt data in transit and prevent Man-in-the-Middle (MITM) attacks
B) To speed up page load times
C) To allow faster DNS resolution
D) To reduce server costs
β
Answer: A) To encrypt data in transit and prevent Man-in-the-Middle (MITM) attacks
π‘ Explanation: HTTPS ensures data confidentiality and integrity, protecting it from interception and tampering.
178. What is the risk of allowing unauthenticated API access?
A) Attackers can exploit API endpoints to access or modify sensitive data
B) It improves API response speed
C) It simplifies API requests
D) It increases search engine ranking
β
Answer: A) Attackers can exploit API endpoints to access or modify sensitive data
π‘ Explanation: Unauthenticated APIs can be abused, leading to data breaches and unauthorized actions.
179. How can an application prevent brute-force attacks on login pages?
A) Implementing rate limiting and CAPTCHA
B) Allowing unlimited login attempts
C) Using simple password policies
D) Storing passwords in session storage
β
Answer: A) Implementing rate limiting and CAPTCHA
π‘ Explanation: Brute-force attacks can be mitigated by limiting login attempts and adding CAPTCHA verification.
180. What is the security benefit of implementing Content Security Policy (CSP) in a web application?
A) It helps prevent Cross-Site Scripting (XSS) by restricting allowed content sources
B) It speeds up JavaScript execution
C) It improves search engine optimization
D) It reduces bandwidth usage
β
Answer: A) It helps prevent Cross-Site Scripting (XSS) by restricting allowed content sources
π‘ Explanation: CSP prevents browsers from executing untrusted scripts, reducing XSS attack risks.
181. Why should security patches be applied as soon as they become available?
A) To prevent attackers from exploiting known vulnerabilities
B) To increase application load speed
C) To improve search engine rankings
D) To disable authentication
β
Answer: A) To prevent attackers from exploiting known vulnerabilities
π‘ Explanation: Delaying security patches leaves applications vulnerable to exploits targeting known security flaws.
182. What is the risk of not implementing proper session expiration?
A) Attackers can reuse old sessions to gain unauthorized access
B) Users will have to log in frequently
C) It speeds up authentication
D) It improves the user experience
β
Answer: A) Attackers can reuse old sessions to gain unauthorized access
π‘ Explanation: Proper session expiration prevents attackers from using stolen or long-lived session tokens.
183. Why should unnecessary HTTP methods (e.g., TRACE, PUT, DELETE) be disabled on a web server?
A) They can be abused for attacks like Cross-Site Tracing (XST) and method tampering
B) They slow down HTTP request processing
C) They improve API performance
D) They make user authentication easier
β
Answer: A) They can be abused for attacks like Cross-Site Tracing (XST) and method tampering
π‘ Explanation: Disabling unused HTTP methods prevents attackers from exploiting them for unauthorized actions.
184. What is the best way to prevent sensitive information from being leaked through error messages?
A) Display generic error messages to users while logging detailed errors internally
B) Show full stack traces to users for debugging
C) Allow users to access server logs
D) Provide database error details in the response
β
Answer: A) Display generic error messages to users while logging detailed errors internally
π‘ Explanation: Detailed errors should be logged securely, while users should only see generic messages to prevent information disclosure.
185. Why is it important to implement the principle of least privilege (PoLP) in database access?
A) To prevent unauthorized access and limit damage if credentials are compromised
B) To improve query performance
C) To allow all users unrestricted database access
D) To store data more efficiently
β
Answer: A) To prevent unauthorized access and limit damage if credentials are compromised
π‘ Explanation: Restricting database access reduces the impact of credential leaks and unauthorized access.
186. How can an application prevent Reflected Cross-Site Scripting (XSS) attacks?
A) By properly encoding user input before rendering it in the response
B) By allowing all scripts to execute freely
C) By disabling input validation
D) By storing JavaScript code in user-generated content
β
Answer: A) By properly encoding user input before rendering it in the response
π‘ Explanation: Output encoding ensures user input is not executed as JavaScript, preventing Reflected XSS attacks.
187. What is a common security risk associated with JSON Web Tokens (JWT)?
A) Using weak signing algorithms like none or HS256 with weak keys
B) Encrypting the payload to secure the token
C) Setting short expiration times for tokens
D) Implementing refresh tokens
β
Answer: A) Using weak signing algorithms like none or HS256 with weak keys
π‘ Explanation: Weak JWT signing algorithms make it easy for attackers to forge tokens, leading to unauthorized access.
188. What is a major security risk of exposing software version details in HTTP headers?
A) Attackers can use version details to exploit known vulnerabilities
B) It improves website performance
C) It enhances API response times
D) It prevents Cross-Site Scripting (XSS)
β
Answer: A) Attackers can use version details to exploit known vulnerabilities
π‘ Explanation: Hiding software version details prevents attackers from targeting known security flaws.
189. Why should security questions not be used as a sole method for password recovery?
A) Answers to security questions are often easy to guess or publicly available
B) Security questions improve password strength
C) Security questions prevent brute-force attacks
D) Security questions reduce authentication time
β
Answer: A) Answers to security questions are often easy to guess or publicly available
π‘ Explanation: Security questions can be guessed or socially engineered, making them insecure for password recovery.
190. What is the best way to prevent brute-force attacks on API endpoints?
A) Implementing rate limiting and requiring authentication
B) Allowing unlimited API requests
C) Using simple API keys
D) Storing API responses in local storage
β
Answer: A) Implementing rate limiting and requiring authentication
π‘ Explanation: Rate limiting prevents excessive requests, while authentication ensures that only authorized users access the API.
191. How can an application mitigate Server-Side Request Forgery (SSRF) attacks?
A) Restricting outgoing requests to trusted destinations
B) Allowing all external requests
C) Using weak input validation
D) Disabling authentication
β
Answer: A) Restricting outgoing requests to trusted destinations
π‘ Explanation: SSRF exploits applications that make unvalidated outbound requests, so restricting them minimizes the attack surface.
192. What is the security risk of allowing users to set long session lifetimes?
A) Attackers can hijack sessions and retain access for extended periods
B) It improves session persistence
C) It prevents password resets
D) It enhances user experience
β
Answer: A) Attackers can hijack sessions and retain access for extended periods
π‘ Explanation: Shorter session lifetimes reduce the risk of hijacked sessions being exploited indefinitely.
193. Why should applications restrict access to administrative interfaces?
A) To prevent unauthorized access and reduce attack exposure
B) To improve server performance
C) To allow all users administrative privileges
D) To simplify user management
β
Answer: A) To prevent unauthorized access and reduce attack exposure
π‘ Explanation: Restricting admin panel access prevents attackers from taking control of application settings.
194. Why should HTTP Referer headers not be relied upon for authentication?
A) They can be manipulated or stripped by attackers
B) They improve website speed
C) They enhance search engine rankings
D) They are required for HTTPS connections
β
Answer: A) They can be manipulated or stripped by attackers
π‘ Explanation: Relying on Referer headers is insecure, as attackers can modify or remove them.
195. What is the purpose of implementing account lockout mechanisms?
A) To prevent automated brute-force attacks on user accounts
B) To reduce login attempts for all users
C) To slow down authentication
D) To improve API performance
β
Answer: A) To prevent automated brute-force attacks on user accounts
π‘ Explanation: Account lockout mechanisms limit the number of failed login attempts, reducing brute-force attacks.
196. How can applications securely store cryptographic keys?
A) Using secure key management solutions or hardware security modules (HSM)
B) Storing keys in source code
C) Keeping keys in plaintext files
D) Using weak encryption
β
Answer: A) Using secure key management solutions or hardware security modules (HSM)
π‘ Explanation: Proper key management prevents unauthorized access and key leakage.
197. Why should authentication tokens be sent over HTTPS?
A) To prevent interception by attackers via Man-in-the-Middle (MITM) attacks
B) To improve page load speeds
C) To reduce database queries
D) To increase search engine rankings
β
Answer: A) To prevent interception by attackers via Man-in-the-Middle (MITM) attacks
π‘ Explanation: Sending tokens over HTTPS ensures secure transmission and prevents interception.
198. How can applications prevent Cross-Site Script Inclusion (XSSI) attacks?
A) By using the X-Content-Type-Options: nosniff header
B) By disabling authentication
C) By allowing unrestricted cross-origin requests
D) By storing sensitive data in local storage
β
Answer: A) By using the X-Content-Type-Options: nosniff header
π‘ Explanation: The nosniff header prevents browsers from executing malicious script files, reducing XSSI risks.
199. What is the purpose of implementing a “deny by default” access control policy?
A) To block all access unless explicitly allowed
B) To allow all users full access by default
C) To make role-based access control unnecessary
D) To simplify authentication processes
β
Answer: A) To block all access unless explicitly allowed
π‘ Explanation: A “deny by default” approach ensures that only explicitly authorized users can access resources, reducing attack surfaces.
200. Why should applications avoid using sequential or easily predictable session IDs?
A) Attackers can predict and hijack user sessions
B) It slows down authentication
C) It increases database load
D) It prevents brute-force attacks
β
Answer: A) Attackers can predict and hijack user sessions
π‘ Explanation: Using randomized and sufficiently long session IDs prevents session prediction and fixation attacks.
201. How can an application mitigate security risks associated with third-party libraries?
A) By regularly updating dependencies and removing unused libraries
B) By using only open-source libraries
C) By disabling authentication when using third-party code
D) By allowing all dependencies to auto-update without review
β
Answer: A) By regularly updating dependencies and removing unused libraries
π‘ Explanation: Outdated or unnecessary third-party libraries may contain vulnerabilities, so regular updates and dependency reviews are crucial.
202. Why should sensitive configuration files (e.g., .env, config.json) be restricted from public access?
A) To prevent attackers from gaining access to API keys, database credentials, or other secrets
B) To improve server response time
C) To allow easier debugging
D) To enhance SEO rankings
β
Answer: A) To prevent attackers from gaining access to API keys, database credentials, or other secrets
π‘ Explanation: Exposing configuration files can leak sensitive credentials, leading to unauthorized access or data breaches.
203. What is a key security measure for protecting user authentication credentials?
A) Hashing passwords with strong algorithms like bcrypt, Argon2, or PBKDF2
B) Storing passwords in plaintext for quick retrieval
C) Allowing users to reuse old passwords indefinitely
D) Using weak password hashing algorithms like MD5
β
Answer: A) Hashing passwords with strong algorithms like bcrypt, Argon2, or PBKDF2
π‘ Explanation: Using strong password hashing algorithms ensures that even if the database is breached, passwords remain difficult to crack.
204. Why should database queries avoid concatenating user input directly?
A) To prevent SQL Injection attacks
B) To make queries more readable
C) To improve application speed
D) To allow users to modify queries
β
Answer: A) To prevent SQL Injection attacks
π‘ Explanation: Concatenating user input in SQL queries can allow attackers to inject malicious SQL code, leading to data breaches and unauthorized access.
205. What is the primary benefit of using HTTP security headers like Content-Security-Policy (CSP), X-Frame-Options, and X-Content-Type-Options?
A) To mitigate common web vulnerabilities such as XSS, Clickjacking, and MIME-type sniffing
B) To speed up browser caching
C) To allow unrestricted access to all users
D) To improve CSS rendering
β
Answer: A) To mitigate common web vulnerabilities such as XSS, Clickjacking, and MIME-type sniffing
π‘ Explanation: Security headers add protection against common web threats by enforcing strict browser security policies.