I am ChatVsasf AI, Ask me any question in ICT Courses

E-Learn Knowledge Base

Vsasf Tech ICT Academy, Enugu in early 2025 introduced a hybrid learning system that is flexible for all her courses offered to the general public. With E-learn platform powered by Vsasf Nig Ltd, all students can continue learning from far distance irrespective of one's location, hence promoting ODL system of education for Nigerians and the world at large.

Students are encouraged to continue learning online after fully registered through the academy's registration portal. All fully registered students with training fee payment completed can click on the login link Login to continue to access their course materials online

What is Cyber Security in Critical Infrastructure?

The entire infrastructural operations of the economy and society are dependent on the safety of their vital systems networks and resources, and that is called cybersecurity in critical infrastructure. Operating these critical infrastructures against cyber-attacks is a must, and that is possible through putting in place high-quality and strict policies.

Critical infrastructure of cybersecurity simply put ways of a general security strategy aimed at maintaining the confidentiality, integrity, and availability of its related informational resources which are to be protected. It's used to deny malicious users the opportunity to take advantage of vulnerabilities for their power objective goals. This calls for the protection of national governments from the risk of instigating cyberwarfare, resisting non-state individuals' coordinating efforts for cyberterrorism, taking care of criminal syndicates on cybercrime undertakings, and separating malicious insiders or careless employees as insider threats.

Critical infrastructure has to be cyber-secured because the possible attacks can result in damaged public safety, might lead to disruption, and might lead to monetary loss. Initiatives need to be prioritized, and risks need to be evaluated. defenses have to be reinforced, as concerns that organizations need to handle. Sneaking in the midst, the cyber security of critical infrastructure is the guiding light that promotes the strength, dependability, and constant operation of these central systems that support modern civilization.

Cyber Security in Critical Infrastructure Threat Landscape

Cyber threats may compromise critical infrastructure and can come in many different forms, such as:

Threat Landscape in Critical Infrastructure
Threat Landscape in Critical Infrastructure
  • Cyber Warfare: Cyber threats could be launched by states and actors granted state support to implementespionage, launching cyberattacks that collapse critical services or destroy advisory systems.
  • Cyber Terrorism: Cyber terrorist groups and other non-state actors can engage in such attacks to create a sense of chaos, terror, and fear.
  • Cyber Crime: Bypassing security systems poses an appealing opportunity, as organized crime groups exploit vulnerabilities in critical infrastructures to steal or demand money, or to produce service interruptions.
  • Insider Threats: Insiders who are evil-minded or employees who are negligent with care are very close to serious risks. They can access vital systems by either exploiting somevulnerabilitiesor unintentionally leading to security lapses.

Major Challenges in Cyber Security for Critical Infrastructure

Challenges of cyber security for critical infrastructure, which include:

Major Challenges in Cyber Security for Critical Infrastructure
Major Challenges in Cyber Security for Critical Infrastructure
  • Legacy Systems: The dominance of outdated systems is one of the biggest challenges to critical infrastructure cyber security. These outdated systems might be challenging to patch or upgrade as security was frequently overlooked during their creation. They are therefore simply a reward forhackers. These legacy systems often lack built-in features of security.
  • Resource Constraints: Limitations of financial or budget constraints lead to conflicting objectives that might restrict the amount of money allocated to cybersecurity precautions, leaving critical infrastructure open to sophisticated cyberattacks.
  • Interconnectedness: As the Critical infrastructure is networked or interconnected, it makes it more vulnerable to attack as a breach in one system might give access to others.
  • Complexity: Critical infrastructure systems are often complex that's why it is difficult to deploy thorough cybersecurity measures because systems are frequently complex, including a large number of components and stakeholders.
  • Regulatory Compliance: Another layer of complexity and challenges arises due to complying with cybersecurity standards and laws, which forces organizations to manage a maze of requirements while preserving operational effectiveness.

Cyber Security in Critical Infrastructure Best Practices

Best practices of cyber security in critical infrastructure, which include:

Cyber Security Best Practices in Critical Infrastructure
Cyber Security Best Practices in Critical Infrastructure
  • Risk Assessment: Risk assessing is the phase where the risk is identified, decided, and analyzed and this is known as the cyber securityrisk assessmentprocess. Conducting routine risk assessment procedures to locate flaws in the cybersecurity environment, ranking the threats, and spending budgets wisely may be considered the best practice for the designing strategy of critical infrastructure.
  • Defense-in-Depth: Cybersecurity Defense-in-depth means the deployment of one control feature, and the inclusion of another one, which is next to the previous security control. This design approach aims to lower the possibility of security breaches. One primary thing is to have a safety measure set up as an added layer and a backup in case threats arise. If the system is facing a security loophole, the community must respond with a counteraction strategy. The layering of security systems likeintrusion detection systems(IDS), firewalls, access control, and encryption tools, provide another measure to scale back threats to critical infrastructure. Unlike the strategy of defending against only one cyber threat, the strategy of multi-layered security systems enables more responses to different kinds of cyber threats allowing the system to prepare itself in case it is attacked.
  • Incident Response Planning: An official written prescription that summarizes an approach to data incidents such as breaches, stealing, cyberattacks, etc, and keeping information secure is anincident responseplan. Planning policies are developed and tested and implementation of the incident response plans in a quick order to efficiently respond to cyber events as well as to minimize interruption and quick restoration is practiced.
  • Collaboration and Information Sharing: Promoting joint work of government institutions, organizations, and foreign allies to transfer knowledge on cybersecurity practices and threat intelligence is supposed to be a maximum practice.
  • Proper Employee Training: Another effective measure is appropriate education for the employees at all levels in cybersecurity, which will help employees recognize and struggle with possible threats such as phishing attacks or social engineering strategies.
  • Continuous Monitoring: Adopting advanced monitoring tools to track intrusions timely, prevent attacks as well as initiate aggressive defense is the best way for the cybersecurity of critical infrastructure.
  • Regular Updates and Patch Management: Keeping the installed software and systems up-to-date with the latest security patches and updates enables the system to locate known vulnerabilities hence reducing the amount of risk of exploitation in the system.

Examples of Cyber Security in Critical Infrastructure

Here are some examples of cybersecurity in critical infrastructure:

Examples of Cyber Security in Critical Infrastructure
Examples of Cyber Security in Critical Infrastructure
  • Transportation Security: The incorporation ofencryption methodsto protect military traffic management and communication networks such as the ones used in air, rail, and waterway transportation is a good example of cybersecurity in critical infrastructure, through adopting biometric authentication methods and using restrictions to prohibit unauthorized people from coming into critical assets such as airports and harbors.

Power Grid Protection: Cyber security of critical infrastructure is a major need for power grid systems provided by electrical systems. Among these will be the installation of new types of firewalls and IDS (intrusion detection systems) that will have the ability to defend against online attacks that attempt network accesses with the intent to compromise power distribution, transmission, and generation infrastructure. Automated anomaly detection and traffic network monitoring also allow the detection of cyber breaches ahead of time, penetration testing, andvulnerability assessments, on the other hand, provide the necessary resilience to power plants against ever-increasing threats.

  • Financial Sector Defense: Weak cybersecurity measures are dangerous in the financial industry, they can lead to data breaches or even financial losses. The cyberattacks can be against payment networks, banking systems, and financial transactions, so the industry must protect all of them. The management of cyber threats to banking and digital payment platforms which apply the most up-to-date fraud detection systems and anomaly detection systems is the prevention of fraudulent incidents being detected and bringing them to a halt. For secure financial transactions, the use of multi-factor authentication and tokenizing in conjunction with cybersecurity in critical infrastructure makes the online banking system stronger and more secure, ensuring the protection of customer data.
  • Healthcare System Resilience: Cyber security is essential to the healthcare industry as it aims to prevent disruption to system reliability and data safety. One healthcare cybersecurity aims to secure EHRs, medical equipment, and telemedicine platforms from cyberattacks targeting healthcare systems by the deployment of strong cybersecurity measures. Although these technologies to some extent contradict the fundamental principles of the Health Insurance Portability and Accountability Act (HIPAA) regulations such as protecting the privacy of patients and the accuracy of data that is stored and shared across healthcare networks, the experts recommend data encryption and secure authentication methods to make these technological applications safe. Furthermore, the development of an emergency plan and an alternative provision of healthcare services in case of a cyber disaster might be important as it protects the health and security of the public when the infrastructure of a healthcare institution is affected by a cyber disaster by providing patient care and important medical service.
  • Water and Wastewater Security: The guarding mechanisms of cybersecurity are necessary for guaranteeing the safety and security of critical infrastructure during the process of water and waste. Defenses such as segregating computers in the treatment facility and offsite secure access help put water and wastewater systems out of reach of cyber attacks. Providing means of defense from the manipulation of the leading units ofIndustrial Control Systems(ICS) by network whitelisting and firmware integrity tests is the target of cybersecurity technologies. To better guarantee a constant supply of water and sanitation services, protect people's health, and be environmentally friendly, the dry run and cybersecurity training drills are undertaken.
Authors: Geeks, T. C. Okenna
Register for this course: Enrol Now

CORS Configuration 

There are several online apps available nowadays. The majority of systems now offer some form of online user interface. These interfaces deal with the client-side presentation or how to display it to the user. The user can interact with the web apps and request information or updates from the server. The data gets saved in a database that the server may access. The client-side web application requests information from the web server, which the server responds with by retrieving it from the database. Because the data or information may be sensitive, a security safeguard must be in place to ensure its integrity. CORS, or Cross-Origin Resource Sharing, is a security procedure to provide this data‘s integrity.

We shall study what CORS is and how it works in general in this article. We will learn what preflight requests are and how CORS relies on them. Furthermore, we’ll go through how we can use CORS and solve the issues that arise from it in our apps.

What is the same-origin policy?

In internet security, the same-origin policy restricts the interaction of a document or script loaded from one origin with a resource loaded from another origin.

What is CORS?

CORS stands for Cross-Origin Resource Sharing. When one domain requests resources from another, it is called a cross-domain request. Due to security concerns, we may only want a few domains (other than our own) to have access to the server’s resources. That is where CORS comes in. The CORS technique allows a server to specify resources it will load from other origins (domains, schemes, or ports) other than HTTP headers.

Prior to CORS, there was no ability to call an API endpoint in a separate domain for security concerns. The Same-Origin Policy prevents this.

Why do we need CORS?

This method stops hackers from installing malicious scripts on different websites. For instance, a hacker may call example.com through AJAX and make modifications on behalf of the signed-in user.

Cross-origin access is also beneficial or even required in some other genuine circumstances, though. For instance, if our React web application calls an API backend set up on a separate domain. It won’t be possible without CORS.

How does CORS work?

CORS enables the server to explicitly allow specific sources, allowing it to override the same-origin restriction. If we set up our CORS server, each response will include an additional header with the key “Access-Control-Allow-Origin.”

What are simple requests?

A simple request is one that does not begin a preflight request before sending the actual request. A simple request fits all of the following requirements:

  1. The request uses one of the permitted methods, such as GET, HEAD, or POST.
  2. Aside from the user-agent generated headers, the only headers that may be manually set are,
    1. Accept
    2. Accept-Language
    3. Content-Language
    4. Content-Type
  3. The Content-Type header can only include one of the following values:
    1. application/x-www-form-urlencoded
    2. multipart/form-data
    3. text/plain
  4. There is no event listener associated with XMLHttpRequest.upload.
  5. The request makes no use of a ReadableStream object.

What is a preflight request?

A CORS preflight request examines the server’s ability to employ particular methods and headers and the server’s knowledge of the CORS protocol.

Browsers automatically generate preflight requests. Therefore, front-end developers often don’t need to write them.

Using the “Access-Control-Max-Age” header, it is possible to selectively cache the preflight responses for requests made at the same URL. The browser employs a unique cache for preflight responses distinct from the browser’s standard HTTP cache.

Credentialed requests

CORS is also capable of making “credentialed” requests. In these requests, the server and client can communicate via cookies (which may hold essential credentials).

CORS does not contain cookies on cross-origin requests by default. Including cookies in the cross-origin request can result in a vulnerability known as cross-site request forgery, or CSRF. CORS needs both the server and the client to confirm that it is okay to include cookies on requests in order to decrease the possibility of CSRF vulnerabilities.

The HTTP response headers used in CORS

We explained how CORS works by including additional headers with the response indicating whether the origin is on the server’s allowlist. Let’s have a look at some of the headers that CORS employs for this reason.

Access-Control-Allow-Origin

The Access-Control-Allow-Origin header defines an origin and instructs browsers to permit that origin to access server resources for requests without credentials. It may also include a wildcard *, which instructs the browser that any origin can access the server’s resources for requests without credentials.

Access-Control-Allow-Origin: *Code language: plaintext (plaintext)

However, we cannot use a wildcard in the Access-Control-Allow-Origin header for requests containing credentials or cookies in general. Only one origin should be provided in this situation.

Access-Control-Allow-Origin: www.example.comCode language: plaintext (plaintext)

Access-Control-Max-Age

The browser can store a preflight request for a given length of time using the Access-Control-Max-Age header.

Access-Control-Max-Age: 1800Code language: plaintext (plaintext)

Access-Control-Allow-Methods

It is used in response to a preflight request to specify the method or methods that are allowed to access the resource.

Access-Control-Allow-Methods: GET, POST, PUTCode language: plaintext (plaintext)

Access-Control-Allow-Headers

As part of a preflight request, the Access-Control-Allow-Headers header specifies which HTTP headers the client can use during the actual request.

Access-Control-Allow-Headers: Content-TypeCode language: plaintext (plaintext)

How to fix the CORS errors in Node.js and Express.js applications?

You may have encountered the CORS error “no ‘access-control-allow-origin’ header is present on the requested site” when constructing a full-stack web application. It occurs because no headers are sent to the browser in the preflight request informing the browser if the origin is permitted to access the resource.

There are several solutions to this problem in a Node.js and Express.js web server. We will be discussing them one by one.

Setting the correct headers manually

To address the CORS problem, we may manually add the necessary headers to each request. We will use middleware to set these headers whenever our server receives a request for resources. Create a middleware using the code below to set the needed headers to address the CORS error.

app.use((req, res, next) => {
  res.setHeader("Access-Control-Allow-Origin", "*");
  res.setHeader("Access-Control-Allow-Methods", "POST, GET, PUT");
  res.setHeader("Access-Control-Allow-Headers", "Content-Type");
  next();
})Code language: JavaScript (javascript)

Here we have set the origin to *. It means for simple requests like GET, HEAD, or POST; the server allows all the origins to access the server’s resources.

There might be a problem if the client’s browser sends a preflight request. The origin should not be a wildcard or * for handling preflight requests. Therefore, we can update the code a little to address preflight requests.

app.use((req, res, next) => {
  res.setHeader("Access-Control-Allow-Origin", "https://example.com");
  res.setHeader("Access-Control-Allow-Methods", "POST, GET, PUT");
  res.setHeader("Access-Control-Allow-Headers", "Content-Type");
  next();
})Code language: JavaScript (javascript)

As an alternative to middleware, we may use the app.options method over a specific endpoint to listen for preflight requests. The preflight request is an OPTIONS request (rather than a GET, POST, or PUT).

app.options("/", (req, res) => {
  res.setHeader("Access-Control-Allow-Origin", "https://example.com");
  res.setHeader("Access-Control-Allow-Methods", "POST, GET, PUT");
  res.setHeader("Access-Control-Allow-Headers", "Content-Type");
  res.sendStatus(204);
});Code language: JavaScript (javascript)

Using the cors NPM package

Express.js created the cors package. We use it to simplify CORS handling by abstracting the complexities of setting up the correct headers, managing preflight requests, and so on behind an easy-to-use API.

Install the cors package using the NPM package manager.

npm install corsCode language: Bash (bash)

To use the cors middleware provided by the cors library, we write the following code.

const cors = require("cors");

app.use(cors());Code language: JavaScript (javascript)

The “Access-Control-Allow-Origin” header is set to wildcard or * , by default in the response delivered.

Without providing any additional arguments to the cors middleware.
Without providing any additional arguments to the cors middleware.

We may optionally supply additional arguments to the cors middleware to modify the default behavior. Let’s look at an example.

app.use(cors({
  origin: 'https://example.com'
}));Code language: JavaScript (javascript)
Providing an origin to the cors middleware.
Providing an origin to the cors middleware.

Conclusion

This article taught us what CORS is and how it generally works. Furthermore, we looked at what preflight requests are and how CORS relies on them. Finally,we learned how to use CORS and solve the issues arising from it in our apps.

Authors: T. C. Okenna
Register for this course: Enrol Now

What Is the OSI Model?

The Open Systems Interconnection (OSI) model describes seven layers that computer systems use to communicate over a network. The OSI model is divided into seven distinct layers, each with specific responsibilities, ranging from physical hardware connections to high-level application interactions.

Each layer of the OSI model interacts with the layer directly above and below it, encapsulating and transmitting data in a structured manner. This approach helps network professionals troubleshoot issues, as problems can be isolated to a specific layer. The OSI model serves as a universal language for networking, providing a common ground for different systems to communicate effectively.

The OSI model was the first standard model for network communications, adopted by all major computer and telecommunication companies in the early 1980s. It was introduced in 1983 by representatives of the major computer and telecom companies, and was adopted by ISO as an international standard in 1984.

The modern Internet is not based on OSI, but on the simpler TCP/IP model. However, the OSI 7-layer model is still widely used, as it helps visualize and communicate how networks operate.

Why Is the OSI Model Important?

The OSI model provides several advantages for organizations managing networks and communications:

  • Shared understanding of complex systems: OSI offers a universal language for networking, enabling different network devices and software to communicate. By dividing communication into seven distinct layers, it allows network professionals to isolate and troubleshoot problems effectively.
  • Faster research and development: Developers can focus on improving specific layers without affecting others, leading to more rapid innovations. This modular approach enables specialization and enables different teams to work on various aspects of network communication simultaneously.
  • Flexible standardization: The model’s layered approach allows for the integration of new technologies at any layer without disrupting the overall network structure. This ensures compatibility across different devices and protocols, ensuring long-term viability and scalability of network infrastructure.

OSI Model Explained: The OSI 7 Layers

OSI 7 layers

We’ll describe OSI layers “top down” from the application layer that directly serves the end user, down to the physical layer.

7. Application Layer

application layer

The Application Layer serves as the interface between the end-user applications and the underlying network services. This layer provides protocols and services that are directly utilized by end-user applications to communicate across the network. Key functionalities of the Application Layer include resource sharing, remote file access, and network management.

Examples of protocols operating at the Application Layer include Hypertext Transfer Protocol (HTTP) for web browsing, File Transfer Protocol (FTP) for file transfers, Simple Mail Transfer Protocol (SMTP) for email services, and Domain Name System (DNS) for resolving domain names to IP addresses. These protocols ensure that user applications can effectively communicate with each other and with servers over a network.

6. Presentation Layer

presentation layer

The Presentation Layer, also known as the syntax layer, is responsible for translating data between the application layer and the network format. It ensures that data sent from the application layer of one system is readable by the application layer of another system. This layer handles data formatting, encryption, and compression, facilitating interoperability between different systems.

One of the key roles of the Presentation Layer is data translation and code conversion. It transforms data into a format that the application layer can understand. For example, it may convert data from ASCII to EBCDIC. It also includes encryption protocols to ensure data security during transmission and compression protocols to reduce the amount of data for efficient transmission.

5. Session Layer

session layer

The Session Layer manages and controls the connections between computers. It establishes, maintains, and terminates connections, ensuring that data exchanges occur efficiently and in an organized manner. The layer is responsible for session checkpointing and recovery, which allows sessions to resume after interruptions.

Protocols operating at the Session Layer include Remote Procedure Call (RPC), which enables a program to execute a procedure on a remote host as if it were local, and the session establishment phase in protocols like NetBIOS and SQL. These services enable reliable communication, especially in complex network environments.

4. Transport Layer

transport layer

The Transport Layer provides end-to-end communication services for applications. It ensures complete data transfer, error recovery, and flow control between hosts. This layer segments and reassembles data for efficient transmission and provides reliability with error detection and correction mechanisms.

Protocols at this layer include Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). TCP is connection-oriented and ensures reliable data transfer with error checking and flow control, making it suitable for applications like web browsing and email. UDP is connectionless, offering faster, though less reliable, transmission, suitable for applications like video streaming and online gaming.

3. Network Layer

network layer

The Network Layer is responsible for data routing, forwarding, and addressing. It determines the best physical path for data to reach its destination based on network conditions, the priority of service, and other factors. This layer manages logical addressing through IP addresses and handles packet forwarding.

Key protocols at this layer include the Internet Protocol (IP), which is important for routing and addressing, Internet Control Message Protocol (ICMP) for diagnostic and error-reporting purposes, and routing protocols like Routing Information Protocol (RIP) that manage the routing of data across networks.

2. Data Link Layer

data link layer

The Data Link Layer is responsible for node-to-node data transfer and error detection and correction. It ensures that data is transmitted to the correct device on a local network segment. This layer manages MAC (Media Access Control) addresses and is divided into two sublayers: Logical Link Control (LLC) and Media Access Control (MAC).

Protocols and technologies at this layer include Ethernet, which defines the rules for data transmission over local area networks (LANs), and Point-to-Point Protocol (PPP) for direct connections between two network nodes. It also includes mechanisms for detecting and possibly correcting errors that may occur in the Physical Layer.

1. Physical Layer

physical layer

The Physical Layer is responsible for the physical connection between devices. It defines the hardware elements involved in the network, including cables, switches, and other physical components. This layer also specifies the electrical, optical, and radio characteristics of the network.

Functions of the Physical Layer include the modulation, bit synchronization, and transmission of raw binary data over the physical medium. Technologies such as Fiber Optics and Wi-Fi operate at this layer, ensuring that the data physically moves from one device to another in the network.

How Does Communication Happen in the OSI Model? A Practical Example

Let’s consider how OSI layers play a role in an everyday activity like sending an email to a person overseas:

  • When a user in New York sends an email to a colleague in London, the process starts at the Application Layer (Layer 7). The user’s email client, such as Outlook, uses SMTP (Simple Mail Transfer Protocol) to handle the email message.
  • The email is then passed to the Presentation Layer (Layer 6), where it is formatted and encrypted to ensure proper transmission.
  • Next, the email moves to the Session Layer (Layer 5), where a session is established between the sender’s email server in New York and the receiver’s email server in London. This layer manages the session, keeping the connection open long enough to send the email.
  • The email data then reaches the Transport Layer (Layer 4), where it is divided into smaller packets. TCP ensures these packets are sent reliably and in the correct order.
  • At the Network Layer (Layer 3), each packet is assigned source and destination IP addresses, allowing it to be routed through multiple networks, including routers and switches, to reach the recipient in London.
  • The Data Link Layer (Layer 2) then uses MAC addresses to handle the packets’ journey across local networks and correcting any errors that occur.
  • Finally, the Physical Layer (Layer 1) converts the data into electrical signals, which are transmitted over fiber-optic cables under the Atlantic Ocean.

Upon reaching the recipient’s server in London, the process is reversed:

  • The Physical Layer converts the signals back into data packets, which are reassembled at the Data Link Layer.
  • The Network Layer ensures the packets have arrived correctly, and the Transport Layer reorders them if necessary.
  • The Session Layer maintains the session until the email is fully received.
  • The Presentation Layer decrypts and formats the email, and the Application Layer delivers the email to the client, where it appears in their inbox.

Advantages of OSI Model

The OSI model helps users and operators of computer networks:

  • Determine the required hardware and software to build their network.
  • Understand and communicate the process followed by components communicating across a network.
  • Perform troubleshooting, by identifying which network layer is causing an issue and focusing efforts on that layer.

The OSI model helps network device manufacturers and networking software vendors:

  • Create devices and software that can communicate with products from any other vendor, allowing open interoperability
  • Define which parts of the network their products should work with.
  • Communicate to users at which network layers their product operates – for example, only at the application layer, or across the stack.

OSI vs. TCP/IP Model

OSI vs. TCPIP models

The Transfer Control Protocol/Internet Protocol (TCP/IP) is older than the OSI model and was created by the US Department of Defense (DoD). A key difference between the models is that TCP/IP is simpler, collapsing several OSI layers into one:

  • OSI layers 5, 6, 7 are combined into one Application Layer in TCP/IP
  • OSI layers 1, 2 are combined into one Network Access Layer in TCP/IP – however TCP/IP does not take responsibility for sequencing and acknowledgement functions, leaving these to the underlying transport layer.

Other important differences:

  • TCP/IP is a functional model designed to solve specific communication problems, and which is based on specific, standard protocols. OSI is a generic, protocol-independent model intended to describe all forms of network communication.
  • In TCP/IP, most applications use all the layers, while in OSI simple applications do not use all seven layers. Only layers 1, 2 and 3 are mandatory to enable any data communication.
Authors: T. C. Okenna
Register for this course: Enrol Now

Basics of Computer Networking

Computer networking is very important in modern technology, enabling the interconnected systems that power the Internet, business communications, and everyday digital interactions. Understanding the fundamentals of computer networking is essential for anyone involved in technology, from enthusiasts to professionals. This article will explore the basics of computer networking, including network types, components, protocols, and essential services like the Domain Name System (DNS).

What is a Computer Network?

A computer network is a collection of interconnected devices that share resources and information. These devices can include computers, servers, printers, and other hardware. Networks allow for the efficient exchange of data, enabling various applications such as email, file sharing, and internet browsing.

How Does a Computer Network Work?

Basics building blocks of a Computer network are Nodes and Links. A Network Node can be illustrated as Equipment for Data Communication like a Modem, Router, etc., or Equipment of a Data Terminal like connecting two computers or more. Link in Computer Networks can be defined as wires or cables or free space of wireless networks.

The working of Computer Networks can be simply defined as rules or protocols which help in sending and receiving data via the links which allow Computer networks to communicate. Each device has an IP Address, that helps in identifying a device.

What do Computer Networks do?

Computer networks first developed in 1950 for military and defense purpose. At that time they are mainly used to send data through telephone lines and had limited use in business or science.

Today computer networks are essential for businesses also. Modern networks offer more than just connecting devices. They play a key role in helping businesses adapt to the digital world and succeed. These networks have become more flexible, automated, and secure, making them even more important in today’s business environment.

Modern computer networks can:

  • Work Virtually: The physical network can be divided into smaller virtual networks. In these virtual networks, devices are connected and can send data through multiple physical routes. For example, many business networks use the internet this way.
  • Connect on a Large Scale: Modern networks link many smaller, spread-out networks into one big, powerful system. Automation and monitoring tools help manage and adjust the network as needed, allowing it to grow or shrink based on demand.
  • Adapt Quickly: Many networks are controlled by software, so changes can be made quickly through a digital dashboard. This allows traffic to be managed easily.
  • Keep Data Secure: Built-in security features like encryption and access control protect data. Additional protections like antivirus software, firewalls, and malware protection can be added to strengthen network security.

Basic Terminologies of Computer Networks

  • Network: A network is a collection of computers and devices that are connected together to enable communication and data exchange.
  • Nodes: Nodes are devices that are connected to a network. These can include computers, Servers, Printers, Routers, Switches, and other devices.
  • Protocol: A protocol is a set of rules and standards that govern how data is transmitted over a network. Examples of protocols include TCP/IP, HTTP, and FTP.
  • Topology: Network topology refers to the physical and logical arrangement of nodes on a network. The common network topologies include bus, star, ring, mesh, and tree.
  • Service Provider Networks: These types of Networks give permission to take Network Capacity and Functionality on lease from the Provider. Service Provider Networks include Wireless Communications, Data Carriers, etc.
  • IP Address: An IP address is a unique numerical identifier that is assigned to every device on a network. IP addresses are used to identify devices and enable communication between them.
  • DNS: The Domain Name System (DNS) is a protocol that is used to translate human-readable domain names (such as www.google.com) into IP addresses that computers can understand.
  • Firewall: A firewall is a security device that is used to monitor and control incoming and outgoing network traffic. Firewalls are used to protect networks from unauthorized access and other security threats.

Types of Enterprise Computer Networks

  • LAN: A Local Area Network (LAN) is a network that covers a small area, such as an office or a home. LANs are typically used to connect computers and other devices within a building or a campus.
  • WAN: A Wide Area Network (WAN) is a network that covers a large geographic area, such as a city, country, or even the entire world. WANs are used to connect LANs together and are typically used for long-distance communication.
  • Cloud Networks: Cloud Networks can be visualized with a Wide Area Network (WAN) as they can be hosted on public or private cloud service providers and cloud networks are available if there is a demand. Cloud Networks consist of Virtual Routers, Firewalls, etc.

These are just a few basic concepts of computer networking. Networking is a vast and complex field, and there are many more concepts and technologies involved in building and maintaining networks. Now we are going to discuss some more concepts on Computer Networking.

  • Open system: A system that is connected to the network and is ready for communication. 
  • Closed system: A system that is not connected to the network and can’t be communicated with.

Types of Computer Network Architecture

Computer Network falls under these broad Categories:

  • Client-Server Architecture: Client-Server Architecture is a type of Computer Network Architecture in which Nodes can be Servers or Clients. Here, the server node can manage the Client Node Behaviour.
  • Peer-to-Peer Architecture: In P2P (Peer-to-Peer) Architecture, there is not any concept of a Central Server. Each device is free for working as either client or server.

Network Devices

An interconnection of multiple devices, also known as hosts, that are connected using multiple paths for the purpose of sending/receiving data or media. Computer networks can also include multiple devices/mediums which help in the communication between two different devices; these are known as Network devices and include things such as routers, switches, hubs, and bridges. 

Network Topology

The Network Topology is the layout arrangement of the different devices in a network. Some types of network topologies are:

  • Bus Topology: In bus topology all devices are connected to a single central cable called a bus. Data is sent along this cable and all devices share the same connection. Simple and cheap to set up but if the main cable fails the whole network goes down.
  • Star Topology: In star topology all devices are connected to a central node called hub or switch. The hub controls the flow of data between devices. If one device fails the rest of the network is unaffected. But, if the central hub fails the whole network stops working.
  • Ring Topology: In ring topology devices are connected in a circular loop with each device connected to two others. Data travels in one direction (or sometimes both) passing through each device until it reaches its destination. A failure in one device can affect the whole network.
  • Mesh Topology: In mesh topology every device is connected to every other device in the network. It provides multiple paths for data so if one path fails another can take over.
  • Tree Topology: Tree topology is the combination of star and bus topology. Tree topology is good for organizing large networks and allows for easy expansion.
  • Hybrid Topology: Hybrid topology is the combination of two or more different topologies (like star and mesh). It is flexible and can be customized based on the network’s specific needs.

OSI Model 

OSI stands for Open Systems Interconnection. It is a reference model that specifies standards for communications protocols and also the functionalities of each layer. The OSI has been developed by the International Organization For Standardization and it is 7 layer architecture. Each layer of OSI has different functions and each layer has to follow different protocols. The 7 layers are as follows: 

  • Physical Layer
  • Data link Layer
  • Network Layer
  • Transport Layer
  • Session Layer
  • Presentation Layer
  • Application Layer

Network Protocols

A protocol is a set of rules or algorithms which define the way how two entities can communicate across the network and there exists a different protocol defined at each layer of the OSI model. A few such protocols are TCP, IP, UDP, ARP, DHCP, FTP, and so on. 

  • Transmission Control Protocol/Internet Protocol (TCP/IP): TCP/IP is the foundational protocol suite of the internet, enabling reliable communication. TCP Ensures data is delivered reliably and in order and IP routes data packets to their destination based on IP addresses.
  • Hypertext Transfer Protocol (HTTP) and HTTPS: HTTP and HTTPS protocols used for transmitting web pages. In HTTP communication is unsecured and in HTTPS secured communication using SSL/TLS encryption.
  • Simple Mail Transfer Protocol (SMTP): SMTP protocol used to send email. SMTP protocol works with other protocols like POP3 and IMAP for email retrieval.
  • File Transfer Protocol (FTP): FTP protocol used for transferring files between computers. Includes commands for uploading, downloading, and managing files on a remote server.
  • Dynamic Host Configuration Protocol (DHCP): DHCP protocol automatically assigns IP addresses to devices on a network. Reduces manual configuration and IP address conflicts.
  • Domain Name System (DNS): DNS Translates human-friendly domain names into IP addresses. Ensures seamless navigation on the internet.

Unique Identifiers of Network 

Hostname: Each device in the network is associated with a unique device name known as Hostname. Type “hostname” in the command prompt(Administrator Mode) and press ‘Enter’, this displays the hostname of your machine. 
 

HostName

HostName

IP Address (Internet Protocol address):  Also known as the Logical Address, the IP Address is the network address of the system across the network. To identify each device in the world-wide-web, the Internet Assigned Numbers Authority (IANA) assigns an IPV4 (Version 4) address as a unique identifier to each device on the Internet. The length of an IPv4 address is 32 bits, hence, we have 232 IP addresses available. The length of an IPv6 address is 128 bits.

In Windows Type “ipconfig” in the command prompt and press ‘Enter’, this gives us the IP address of the device. For Linux, Type “ifconfig” in the terminal and press ‘Enter’ this gives us the IP address of the device.

MAC Address (Media Access Control address): Also known as physical address, the MAC Address is the unique identifier of each host and is associated with its NIC (Network Interface Card). A MAC address is assigned to the NIC at the time of manufacturing. The length of the MAC address is: 12-nibble/ 6 bytes/ 48 bits Type “ipconfig/all” in the command prompt and press ‘Enter’, this gives us the MAC address. 

Port: A port can be referred to as a logical channel through which data can be sent/received to an application. Any host may have multiple applications running, and each of these applications is identified using the port number on which they are running. 

A port number is a 16-bit integer, hence, we have 216 ports available which are categorized as shown below: 

Port Types Range
Well known Ports 0 – 1023
Registered Ports 1024 – 49151
Ephemeral Ports 49152 – 65535

Number of ports: 65,536 
Range: 0 – 65535 
Type “netstat -a” in the command prompt and press ‘Enter’, this lists all the ports being used. 

List of Ports

List of Ports

Socket: The unique combination of IP address and Port number together is termed a Socket. 

Other Related Concepts 

DNS Server: DNS stands for Domain Name System. DNS is basically a server that translates web addresses or URLs (ex: www.google.com) into their corresponding IP addresses. We don’t have to remember all the IP addresses of each and every website. The command ‘nslookup’ gives you the IP address of the domain you are looking for. This also provides information on our DNS Server. 

Domain IP Address

Domain IP Address

ARP: ARP stands for Address Resolution Protocol. It is used to convert an IP address to its corresponding physical address(i.e., MAC Address). ARP is used by the Data Link Layer to identify the MAC address of the Receiver’s machine. 

RARP: RARP stands for Reverse Address Resolution Protocol. As the name suggests, it provides the IP address of the device given a physical address as input. But RARP has become obsolete since the time DHCP has come into the picture.

The Domain Name System (DNS) is a critical component of computer networking. It converts easily recognizable domain names, such as www.example.com, into numerical IP addresses that computers use to identify each other on the network.

How DNS Works?

DNS works efficiently, translating user-friendly domain names into IP addresses, allowing seamless navigation on the internet. Below step by step working of DNS:

  • User Input: When a user enters a domain name in a browser, the system needs to find its IP address.
  • DNS Query: The user’s device sends a DNS query to the DNS resolver.
  • Resolver Request: The DNS resolver checks its cache for the IP address. If not found, it forwards the request to the root DNS server.
  • Root DNS Server: The root DNS server provides the address of the TLD (Top-Level Domain) server for the specific domain extension (e.g., .com).
  • TLD DNS Server: The TLD server directs the resolver to the authoritative DNS server for the actual domain.
  • Authoritative DNS Server: The authoritative DNS server knows the IP address for the domain and provides it to the resolver.
  • Response to User: The resolver stores the IP address in its cache and sends it to the user’s device.
  • Access Website: With the IP address, the user’s device can access the desired website.

Network Security

Ensuring the security of a network is crucial to protect data and resources from unauthorized access and attacks. Key aspects of network security include:

  • Firewalls: Devices or software that monitor and control incoming and outgoing network traffic based on security rules.
  • Encryption: The process of encoding data to prevent unauthorized access. Commonly used in VPNs, HTTPS, and secure email.
  • Intrusion Detection Systems (IDS): Tools that monitor network traffic for suspicious activity and potential threats.
  • Access Control: Mechanisms that restrict access to network resources based on user identity and role.
  • Regular Updates and Patching: Keeping software and hardware up to date to protect against vulnerabilities.

Why Use Computer Networks?

Computer network play a important role in modern life. Here are some key benefits of computer networks:

  • Fast and Easy Communication: Networks enable all types of digital communication, like emails, messaging, file sharing, video calls, and streaming.
  • More Storage Space: Suppose if we don’t have a cloud storage then we have to store data in physical files that will consume a physical space so computer network provide a storage for storing data.
  • Easier Sharing of Information: Networks make it simpler for users and teams to share resources and information. Teams can collaborate more easily, and users get faster response from network devices.
  • Better Security: Well designed networks are more reliable and give businesses more options for keeping data safe. They come with built-in security features like encryption and access controls to protect sensitive information from cyber threats.

Conclusion

Understanding the basics of computer networking is essential in today’s interconnected world. Networks enable the seamless exchange of information, support countless applications, and underpin the functionality of the internet. From different types of networks and their components to protocols and security measures, a solid grasp of these concepts is foundational for anyone working in or with technology. As technology evolves, so too will the complexity and capabilities of computer networks, making continuous learning and adaptation crucial.

Frequently Asked Questions on Basics of Computer Networking – FAQs

What is an IP address?

An IP (Internet Protocol) address is a unique identifier assigned to each device on a network. It allows devices to locate and communicate with each other. There are two types of IP addresses: IPv4 (e.g., 192.168.1.1) and IPv6 (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334).

What is the difference between TCP and UDP?

  • TCP (Transmission Control Protocol): A connection-oriented protocol that ensures reliable and ordered delivery of data. It is used for applications where data integrity is critical, like web browsing and email.
  • UDP (User Datagram Protocol): A connectionless protocol that does not guarantee delivery or order. It is used for applications where speed is more important than reliability, like streaming and gaming.

What is a firewall?

A firewall is a network security device or software that monitors and controls incoming and outgoing network traffic based on predefined security rules. It acts as a barrier between a trusted internal network and untrusted external networks like the internet.

What is a subnet mask?

A subnet mask is used in IP addressing to divide the network into sub-networks, or subnets. It helps determine which portion of an IP address is the network address and which part is the host address.

What is NAT (Network Address Translation)?

NAT is a method used by routers to translate private IP addresses within a local network to a public IP address before sending data over the internet. This helps to conserve IP addresses and add a layer of security by hiding internal network addresses.

What is a MAC address?

A MAC (Media Access Control) address is a unique identifier assigned to a network interface card (NIC) for communication on a physical network segment. It is a hardware address that is unique to each network device..

What is latency in networking?

Latency is the time it takes for data to travel from the source to the destination across a network. It is usually measured in milliseconds (ms) and can affect the performance of networked applications.

Authors: Geeks, T. C. Okenna
Register for this course: Enrol Now

CSRF Attack Cross-Site Request Forgery

An overview of CSRF Attack

A counterpart of XSS, CSRF is one of the multiples concerning cyber vulnerabilities wherein the authorized users are compelled to perpetrate something unaccepted or unauthorized action on the website that has authenticated them. By using two-factor login, password, and other means, a website authenticates the end-user and permits them access to the services/facilities of the website/application. This way, trust is built between end-user and websites.

Threat actors use this trust factor to gain unauthorized access to the website by exploiting it via a CSRF attack. CSRF has many synonyms including Hostile Linking, Sea Surf, Session Riding, One-click attack, and so on.

The attention-worthy markers of CSRF attack areas cited below -

  • It is easy to carry out on websites/web applications that skip validating if action is with or without the user's consent.
  • While XSS concerns breach of user’s privacy by a website, CSRF relates to the circumstance where the user exploits the website. One must gather more information in XSS v/s CSRF for distinguishing between these vulnerabilities at a deeper level.
  • It doesn’t interest using JavaScript or any other sort of code for successful execution.
  • Single-page applications are likely to have a higher chance of being a CSRF victim as they store the CSRF token as cookies, which are favorite of the threat actors.

What is a CSRF token?

Crucial to keeping the occurrence possibility of CSRF attack as low as possible, CSRF token is a secure, and unique per-session token that is created at random. Challenge and synchronizer tokens are among the most common examples. 

CSRF token must be integrated inside the hidden/invisible components of HTML forms that are used for server-side functionalities and are shared with the end user’s browser. Its volume must be huge so that threat actors can’t make sense out of it.

The CSRF-enabled websites and web apps will generate exclusive CSRF tokens for individual HTTP requests or login sessions. 

Correct validation of CSRF tokens will discourage CSRF attacks. However, certain factors are impacting the CSRF token validation.

Validation is highly influenced by the type of request. For instance, some websites will completely validate HTTP post requests while rejecting the GET ones.

Availability of the tokens also affects the validations. For example, if no token at an instance of time, the request is ignored.

How does CSRF work?

Carrying out a CSRF attack requires fulfilling 3 conditions.

  1. A privileged action happening on the website, such as, an action causing altering user-focused data.
  2. The target site, during the user identity validation, must use at least 1 HTTP request while session cookies also are enabled.
  3. No part of user request is hidden or non-readable for the attacker.

Once all these three conditions are fulfilled, one is ready to execute the CSRF attack.

CSRF is highly diverse when it comes to tricking the user to initiate a forgery request. Before understanding these ways, let’s know how to create the ill-intended request with the help of an example.

Example

Say John needs to transfer $500 to Jena via the money.com website. 

Now, the money.com website is not backed by robust CSRF protections and a threat attacker, Leo, uses this opportunity to receive the money that John is trying to transfer.

To make this happen, attacker, Leo, will move ahead as:

  • Creating a manipulated script or URL
  • Luring John to use the corrected URL/script via social engineering

Now, let’s understand the working of CSRF attack under different scenarios:

When website accepts GET requests 

In that case, the money transfer request, made by John, will look like: 

GET http ://money.com/transfer.do?acct=JENA&amount=500 HTTP/1.1

Leo, the threat actor, will exploit this via John. Firstly, he will create a manipulated URL to direct John-initiated money transfer to his bank account. 

He will access the transfer command of John and replace Jena’s name with his. He can also alter the transfer value. The exploited command will look like:

http ://money.com/transfer.do?acct=LEO&amount=5000

In the exploited URL, Leo replaced the original transfer value with $5,000. 

Here, social engineering gambits like email featuring HTML content or placing the abused URL in front of the verified page fools John to load the exploited URL. As the altered page/URL/script looks very similar to the original URL/script/page, it’s easy to get fooled. 

When websites accept POST requests 

If the website obtains only POST requests then the John’s command will look like this:

POST http://money.com/transfer.do HTTP/1.1
acct=JENA&amount=500

Now, such request is delivered with FORM tags: 

<form action="http://money.com/transfer.do" method="POST">
<input type="hidden" name="acct" value="Leo"/>
<input type="hidden" name="amount" value="5000"/>
<input type="submit" value="Check my pictures"/</form>

Use of FORM tag enforces clicking on submit button for completing the request submission. Or, the request can be presented automatically with the usefulness of JavaScript. 

When a website is using other HTTP methods 

Other than GET and POST, other HTTP request modes like PUT and DELETE are also used frequently. PUT-based HTTP requests will feature JavaScript in the manipulated page/URL. As advance browsers that we all are using presently enforce the same-origin policy, CSRF attacks on PUT and DELETE requests are not usually witnessed. 

how csrf work

The Aftermath of a CSRF attack: What happens to the Victim?

The outcome can be trouble-causing for the targeted user. The success of an attacker will result in the completion of an action that the victim never intends to do. So, the severity of this action will depend upon what that action was. 

Also, if the person, who was targeted through this attack, is an organizational user with high-level rights in a business network, the loss due to CSRF’s success will be much bigger. It may result in monetary transactions, data compromise, functionality misuse, and much more.

A few examples could be:

  • Editing the victim’s e-mail details for an account and thereby using their identity for financial transactions or on social media. 
  • Performing an unsolicited transaction from a user account.
  • Modifying the access-rights of various user roles in an organization after gaining access to the admin account.

Constructing and Delivering a CSRF attack

  1. The Construction/Design

Let’s begin with understanding how this sort of attack is designed or strategized in general.

The conventional method to carry out a CSRF exploit is to create a custom HTML request comprising a high parameter count. However, due to the complexity of this method and the time it takes, very few high-end attacks use it.

Most of the attackers use a CSRF PoC generator - the simplest trick to succeed at a CSRF exploit. This tool comes as a part of Burp Suite Professional and can be used by following the below-enlisted steps: 

  • To test/exploit a request, find it in the tool.
  • Right-click on this request and then on Engagement tools.
  • Pick your option as ‘Generate CSRF PoC’ and the tool will create the HTML content in order to initiate the action. This won’t involve cookies, as your browser may or may not have different settings than the victim’s browser. 
  • Now, you can either modify this HTML content by changing the selections for different options in the tool to customize your attack or copy the same content into a webpage.
  • View this page with this HTML content in a browser and test if it is working as you want it to.
  1. The Delivery

Now that you have the HTML content for carrying out the attack ready, the next step is to deliver it to the victim and hope for your success. 

The method for CSRF delivery is very similar to reflected XSS exploits. So, you – as a threat-actor or tester – will embed this malicious content in a web page or email, or an SM text in order to deliver it to the victim. You may even add it to a popular site or forum as a comment if you want the exploit to be untargeted.

Typically, the simplest of CSRF attacks utilize 1 GET request. So, this HTML content can be just 1 URL. For example, this type of self-contained exploit may appear like this:

<img src="https: //example.com/email/change?email=example@test-csrf.user">

To succeed, you just have to make the victim click on this image.

How to detect cross site request forgery?

Regardless of the type of vulnerability, early detection is the key to keeping the damage under control. 

The most practicable makers that help in the timely detection of CSRF are:

  • Websites allowing session management through GET requests. Third-parties can get easy access to such sites. So, they are more prone to CSRF attacks. Make sure your site is not among them.
  • Web Proxies are very helpful in CSRF detection. As it keeps track of HTTP requests’ journey from beginning to end, you can replay requests without initiating an interaction with the client-side interface of the app.

How to Prevent CSRF Attack?

When not dealt first-handedly, CSRF attacks can lead to data threats, money stealing, change of login details, and even losing control over crucial applications. Hence, along with the early detection, doable CSRF prevention strategies should also be deployed. 

CSRF-token-based prevention

The primary approach to defend a CSRF attack is to figure out whether or not the HTTP request is created legitimately i.e. using the user interface of the app only. CSRF tokens can be utilized by website owners or administrators for it.

The app security team should figure out the attack-prone part of server-side functions and introduce the CSRF token in the HTML form of that vulnerable operational part.

Make sure that the intended HTML form is not a component of session cookies. Also, utilize a cryptographically secured random number generator for token-creation.

Utilizing the SameSite Cookie Attribute

It is generally used for supporting CSRF attack prevention methodology greatly. Sharing a lot in common with Secure Flag and HTTPOnly, it equips the browser adequately for handling the cookies as well as cross-site requests at once.

Its acceptable values are as enlisted:

  1. A ‘Strict’ value will stop cookies transfer by browsing.
  2. ‍‘Lax’ is the default value that maintains security for web solutions when they wish to allow user-access requests composed of external links. Presently, most browsers have this feature as an added line of defense against CSRF attacks while using the CSRF token alongside. 
  3. The value ‘none’ is used you want to use cookies for accessing cross-site URLs.

Utilizing user interaction for CSRF protection 

It is the easiest way to implement a CSRF prevention strategy. It involves the use of re-authentication, one-time token creation, and CAPTCHA deployment. All these techniques increase user interaction and leave less scope for threat attacks to barge in. Also, it enhances the user experience.  

Controlling Login CSRF 

Many developers fail to understand the fact that CSRF can exist in the login forms and cause damage. This is why it’s mostly ignored. One can prevent CSRF from impacting the login forms by generating pre-sessions for each user and introducing CSRF tokens in those sessions. It makes the early authentication safe. But, ensure that this pre-session should be destroyed once the real session is initiated. Ignoring this will give invitation to the session-fixation attack. 

Double submit cookies 

This method is commonly used as a CSRF defense strategy. It involves storing the similar token values in a cookie rather than a server session. Doing so encourages the cookie-like CSRF token forwarding while associating a hidden field/value with it. Upon receiving a request, the server needs to figure out whether the CSRF value, stored in hidden fields and cookies, matches. 

How to prevent CSRF attack in Javascript?

Security experts willing to prevent JavaScript from CSRF attack can use custom request header as it banks upon the SOP or Same Origin Policy approach in order to safeguard the JavaScript part of the app. This header can only be implied on the origin of JavaScript. However, JavaScript is not allowed to create custom headers by default by the browser.

This approach brings dual benefits like there is no need to do any changes in the UI and don’t ask for presenting the server-side state. 

Is it necessary to protect API from CSRF attacks?

CRSF attacks are on an all-time rise and there are no exceptions. 

As API usage has increased and is crucial for web and mobile application development, it has become a prominent target for CSRF attacks. When an API is a victim of a CSRF attack, the whole digital solution or app is put on the stack. 

For robust API security, it’s crucial to protect API against CSRF attacks. CSRF attacks targeting the APIs can be prevented easily. 

API requests made to the content-type application or JSON should be restricted. With this, the possibilities of CSRF attacks are less. API requests, done via content type, are more secure.

API access token should be presented on the request header. Also, APIs should neglect the cookies-based CSRF tokens. 

JavaScript-based single-page applications should be constructed only to use cookies for storage. Such applications should also complete the authentication token transfer to API as header and shouldn’t accept the requests missing the header.

Authors: T. C. Okenna
Register for this course: Enrol Now
Page 1 of 3

E-Learn