HttpFixer → Glossary
HTTP & Web Security Glossary
Plain-English definitions for the terms that show up in browser consoles, security audits, and developer docs. Each definition links directly to the relevant tool.
Cross-Origin & Headers
CORS
Cross-Origin Resource Sharing. Browser security mechanism that controls which origins can fetch resources from another origin.
Same-Origin Policy
Browser rule that blocks scripts on one origin from accessing resources on a different origin. CORS is the controlled exception.
Preflight Request
OPTIONS request the browser sends before non-simple cross-origin requests to check if the server allows them.
Content-Type
HTTP header declaring the media type of the request or response body. Wrong Content-Type causes parse errors and CORS preflight.
Security Headers & Attacks
CSP
Content Security Policy. HTTP header that controls which resources a page can load — the primary defense against XSS.
HSTS
HTTP Strict Transport Security. Forces browsers to only connect via HTTPS — prevents downgrade attacks and cookie hijacking.
XSS
Cross-Site Scripting. Attack where malicious scripts are injected into trusted pages. CSP is the primary header defense.
Clickjacking
Attack embedding a page in a hidden iframe to trick users into clicking on invisible elements. Prevented by X-Frame-Options and CSP frame-ancestors.
Authentication & Caching
PKCE
Proof Key for Code Exchange. OAuth 2.0 extension that prevents authorization code interception attacks in public clients.
SameSite Cookie
Cookie attribute controlling when cookies are sent with cross-site requests. Strict, Lax, or None — affects CSRF protection.
Rate Limiting
Server-side control limiting how many requests a client can make in a time window. Implemented via 429 Too Many Requests responses.
Cache Busting
Technique to force browsers and CDNs to fetch new file versions by adding a hash or version string to filenames or query params.
Find a term not listed? Browse the blog · Scan your headers