Last modified: October 29, 2024

This article is written in: 🇺🇸

Protocols

It's important for frontend developers to really grasp how network protocols work. These protocols control how data moves across networks, making sure the frontend and backend communicate smoothly. It's not enough to just know the names and basic functions of these protocols — developers need to understand the details of how they operate to ensure that systems can communicate efficiently and securely.

Foundational Concepts

Internet

The Internet is a complex, interconnected system that brings together millions of devices across the globe. Often called a “network of networks,” it connects various private, public, academic, business, and government networks. This allows for seamless communication between people and devices worldwide, making it possible to share information almost instantaneously.

The foundation of the Internet relies on a few essential components:

Simplified Internet Diagram:

[User Device]
     |
[Local Network]
     |
[Internet Service Provider (ISP)]
     |
[Internet Backbone]
     |
[Destination Server]

Browsers

Web browsers are essential software applications that allow users to access, retrieve, and view information on the World Wide Web. They act as clients by sending requests to web servers using protocols like HTTP or HTTPS, and they render the received content, typically written in formats such as HTML, CSS, and JavaScript, so users can interact with it.

Browsers consist of several core components that work together to deliver a smooth browsing experience:

Several popular browsers dominate the landscape, each with its unique features. Google Chrome is widely recognized for its speed and developer-friendly tools, while Mozilla Firefox emphasizes privacy and offers extensive customization options. Microsoft Edge, built on the Chromium engine, integrates smoothly with the Windows ecosystem, making it a popular choice for Windows users. Safari, optimized for Apple devices, provides an efficient browsing experience on macOS and iOS.

For those working on web development, browser developer tools offer a variety of features to streamline the process. With the element inspector, developers can examine and modify the structure (DOM) and style (CSS) of a webpage in real-time. The console helps with debugging JavaScript code by displaying error messages and allowing for testing directly within the browser. A network monitor provides insights into HTTP requests and responses, which is invaluable for optimizing page load times. Additionally, a performance profiler helps identify and resolve performance issues, while the security panel allows developers to inspect aspects like security certificates and identify any mixed content issues.

Browser Architecture:

+------------------------------------------------------+
|                      Browser                         |
|------------------------------------------------------|
|  User Interface  |  Browser Engine  |  Data Storage  |
|------------------------------------------------------|
|            Rendering Engine (HTML/CSS)               |
|------------------------------------------------------|
|            JavaScript Interpreter (JS Engine)        |
|------------------------------------------------------|
|                    Networking                        |
+------------------------------------------------------+

DNS (Domain Name System)

The Domain Name System, or DNS, functions much like the Internet's phonebook. When you type a website address, such as openai.com, DNS translates this human-readable name into a machine-readable IP address, like 192.0.2.1. This process allows you to access websites by entering memorable names rather than complex numerical codes.

Several key components make up the DNS system. First, the DNS resolver is a client-side element that starts the process by sending DNS queries. At the top of the hierarchy, root name servers hold authority over the root zone, directing the query to the appropriate next step. Top-Level Domain (TLD) servers, which manage domains like .com, .org, and .net, come next, followed by authoritative name servers that store specific domain records. Together, these components work in sequence to help users reach the correct web address.

The DNS uses different types of records to handle various tasks:

When you enter a website address into your browser, the DNS resolution process begins. First, the browser checks its cache for a stored IP address. If it’s not there, the operating system cache is the next stop. Should both caches be empty, a recursive resolver, typically provided by your ISP, takes over. This resolver queries a root server, which points to the TLD server for the domain’s extension (such as .com). The TLD server then directs the resolver to the authoritative name server holding the domain’s IP address. Finally, the resolver retrieves this address and sends it back to the browser, allowing it to establish a connection to the website’s server.

DNS Query Flow Diagram:

[Browser]
   |
[DNS Resolver]
   |
[Root Server] -> [TLD Server] -> [Authoritative Server]
   |
[IP Address Returned]

Domain Name

A domain name is the human-friendly address you type into a browser to reach a website. Instead of remembering numerical IP addresses, users can simply enter a domain name, like google.com, to access the site. This makes navigating the Internet easier and more intuitive.

Domain names have a specific structure with three main parts, each serving a distinct purpose:

To illustrate, a typical domain name can be broken down like this:

[Subdomain].[Second-Level Domain].[Top-Level Domain]
    www             google               com

Managing domain names relies on a hierarchical system. At the top, the Internet Corporation for Assigned Names and Numbers (ICANN) oversees the entire domain name structure and its allocation. Specific organizations called registries are responsible for managing TLDs and keeping DNS records updated. Then, registrars are the entities where individuals or businesses can register domain names. Once registered, the person or organization that acquires the domain is known as the registrant, effectively the domain’s owner.

Domain Name System Hierarchy:

[.] (Root)
 |
[.com] (TLD)
 |
[example] (SLD)
 |
[www] (Subdomain)

Protocols in Action

HTTP (HyperText Transfer Protocol)

HTTP, or Hypertext Transfer Protocol, serves as the backbone for transmitting web documents like HTML across the Internet. It relies on a request-response model, where the client, usually a web browser, initiates a request, and the server responds with the desired content.

Several key characteristics define HTTP. First, the request-response cycle is fundamental: the client sends a request, and the server returns a response. It’s also a stateless protocol, meaning each request stands alone, with no memory of past interactions; this simplicity enhances efficiency. Additionally, HTTP typically operates over TCP, or Transmission Control Protocol, at the transport layer, which ensures reliable delivery of data between client and server.

In an HTTP interaction, both the request and response have specific components:

I. For the request, sent by the client:

II. On the server’s side, the response includes:

Basic HTTP Methods:

Method Description
GET Retrieve resources from the server
POST Submit data to the server, often to create or modify a resource
PUT Replace or add a resource at a specific URL
PATCH Modify part of an existing resource
DELETE Remove a resource

HTTP Request-Response Cycle Diagram

[Client Browser] -- HTTP Request --> [Web Server]
                    <-- HTTP Response --

Detailed Examples of HTTP Methods

GET Method

The GET method is used to request data from the server without modifying it. An example would be retrieving a webpage or making a query to a search engine.

Sample HTTP GET Request:

GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
Accept: text/html

Sample HTTP GET Response:

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 3057

<!DOCTYPE html>
<html>
...

Using curl in the terminal to make a GET request:

curl -i -H "Accept: application/json" -H "Content-Type: application/json" "https://api.github.com/users/octocat"

Response:

HTTP/2 200 
{
  "login": "octocat",
  "id": 583231,
  "name": "The Octocat",
  ...
}

POST Method

The POST method is used to send data to the server to create or update a resource, such as submitting a form on a webpage.

Using curl to send a POST request:

curl -X POST -H "Content-Type: application/json" -d '{"username":"testuser", "password":"testpassword"}' "https://reqbin.com/echo/post/json"

Response:

{
  "success": "true",
  "data": {
    "username": "testuser",
    "password": "testpassword"
  }
}

HTTP APIs and Standards

Various standards have been established for APIs over time, allowing systems to communicate over HTTP.

Some of the key API standards include:

Protocol Year Description
XML-RPC 1998 A protocol for remote procedure calls using XML to encode the calls.
SOAP 1999 A protocol for exchanging structured information in web services.
REST 2000 An architectural style that uses standard HTTP methods to interact with resources.
JSON-RPC 2005 A remote procedure call protocol encoded in JSON.
GraphQL 2015 A query language for APIs that allows clients to specify exactly the data they need.

REST (Representational State Transfer)

RESTful APIs rely on standard HTTP methods like GET, POST, PUT, and DELETE to manipulate resources. Each resource is identified by a URL, and actions are performed using these methods.

Example REST API:

GET Request Example:

curl -i -H "Accept: application/json" -H "Content-Type: application/json" "https://jsonplaceholder.typicode.com/todos/3"

Response:

{
  "userId": 1,
  "id": 3,
  "title": "fugiat veniam minus",
  "completed": false
}

POST Request Example:

curl --data "title=New Todo&completed=false" https://jsonplaceholder.typicode.com/todos

Response:

{
  "title": "New Todo",
  "completed": false,
  "id": 201
}

HTTP Status Codes

HTTP status codes are three-digit numbers that indicate the result of an HTTP request.

Category Status Code Range
Informational 1xx
Successful 2xx
Redirection 3xx
Client Error 4xx
Server Error 5xx

Common HTTP Status Codes:

Code Description
200 OK - The request was successful
201 Created - A resource was successfully created
301 Moved Permanently - The requested resource has a new permanent URI
302 Found - The resource is temporarily located at a different URI
400 Bad Request - The request could not be understood or was missing required parameters
401 Unauthorized - Authentication is required
403 Forbidden - The request is understood, but the server is refusing to fulfill it
404 Not Found - The requested resource could not be found
500 Internal Server Error - An error occurred on the server

HTTPS (HTTP Secure)

HTTPS is the secure version of HTTP. It uses SSL/TLS to encrypt communication between the client and server, providing three main benefits:

HTTPS Connection Process

  1. The client requests a secure connection, including supported encryption methods.
  2. The server responds, providing its SSL certificate.
  3. The client verifies the server's certificate to ensure it's authentic.
  4. Both parties agree on encryption keys to use for secure communication.
  5. Data is encrypted and exchanged securely.

FTP

FTP, or File Transfer Protocol, is a standard network protocol that facilitates file transfers between a client and a server over a TCP-based network. It’s commonly used for straightforward file sharing, especially when large files or batches of files need to be moved efficiently.

FTP has a few key features:

There are some important security considerations with FTP as well:

FTP Workflow Diagram:

[Client]
   |
[Control Connection (Commands)]
   |
[FTP Server]
   |
[Data Connection (File Transfer)]

Common FTP Commands:

Command Description
LIST List files in the current directory.
RETR Retrieve (download) a file.
STOR Store (upload) a file.
DELE Delete a file.
MKD Make a new directory.

WebSockets

WebSockets enable full-duplex communication over a single TCP connection, which allows for real-time data exchange between a client and a server. This setup is particularly useful in scenarios where both sides need to send and receive data quickly and efficiently.

The advantages of using WebSockets are numerous:

WebSockets are often used in a variety of real-time applications:

The WebSocket handshake process is straightforward and ensures the protocol switch happens seamlessly. It begins with a client request that includes an Upgrade header to indicate the switch from HTTP to WebSocket. The server responds with a 101 Switching Protocols message to confirm this upgrade, and once this response is received, a connection is established. From there, communication switches to WebSocket, allowing both client and server to begin exchanging data in real-time.

Simplified WebSocket Diagram:

[Client Browser] <---- Persistent Connection ----> [Server]
       |                                               |
    Send/Receive Messages in Real-Time

Sample WebSocket Code (JavaScript):

const socket = new WebSocket('wss://example.com/socket');

socket.onopen = () => {
  console.log('WebSocket connection established.');
  socket.send('Hello Server!');
};

socket.onmessage = (event) => {
  console.log('Received:', event.data);
};

socket.onclose = () => {
  console.log('WebSocket connection closed.');
};

TCP and UDP

TCP, or Transmission Control Protocol, and UDP, or User Datagram Protocol, are essential components of the Internet Protocol Suite, both operating at the transport layer. While they share the role of transporting data, they do so in very different ways, each suited to specific types of network communication.

TCP has a few key features that make it ideal for reliable, ordered data transmission:

On the other hand, UDP takes a more streamlined approach, favoring speed over reliability:

Comparison Table:

Feature TCP UDP
Connection Connection-Oriented Connectionless
Reliability Reliable (Acknowledgements) Unreliable
Ordering Ordered Data Transmission No Ordering Guarantees
Overhead Higher (due to error checking) Lower
Use Cases Web Browsing, Email, File Transfer Streaming, Gaming, VoIP

TCP Connection Process (Three-Way Handshake):

  1. SYN: Client sends synchronization packet to server.
  2. SYN-ACK: Server acknowledges with synchronization-acknowledgment packet.
  3. ACK: Client sends acknowledgment to establish connection.

TCP Diagram:

[Client] -- SYN --> [Server]
[Client] <-- SYN-ACK -- [Server]
[Client] -- ACK --> [Server]
Connection Established

UDP Communication Diagram:

[Client] -- Data Packet --> [Server]
(No handshake; data sent immediately)

Web Security Essentials

Web security is paramount in safeguarding websites and their users from malicious threats. It involves implementing measures to protect data integrity, confidentiality, and availability.

HTTPS

HTTPS, or Hypertext Transfer Protocol Secure, is the secure version of HTTP that uses SSL/TLS protocols to encrypt data exchanged between a browser and a web server. By securing the data transfer, HTTPS helps protect sensitive information from being intercepted by unauthorized parties.

The importance of HTTPS spans several key areas:

HTTPS relies on SSL/TLS protocols for secure communication:

Additionally, Certificate Authorities (CAs) play a crucial role in the HTTPS ecosystem. These trusted organizations issue digital certificates, which verify the ownership of the encryption keys used in HTTPS. By confirming a website’s identity, CAs help establish a secure and trustworthy connection between users and web servers.

Visual Representation of HTTPS Connection:

[Client Browser] <-- Encrypted Data --> [Web Server]

CORS

Cross-Origin Resource Sharing, or CORS, is a security feature that controls how web applications running in one origin (or domain) can interact with resources from another origin. This feature helps maintain security by allowing or restricting cross-origin access based on certain rules.

The same-origin policy is enforced by browsers to enhance security. By default, it restricts web pages from making HTTP requests to a different origin than their own. This prevents unauthorized access to data and protects users from various types of attacks, such as Cross-Site Scripting (XSS).

CORS works through specific HTTP headers, which dictate what is permitted in a cross-origin request:

CORS requests come in two types, depending on their complexity:

CORS Workflow Diagram:

[Browser] -- Preflight OPTIONS Request --> [Server]
                    |
         [Server sends CORS headers]
                    |
[Browser] -- Actual Request --> [Server]

Content Security Policy

Content Security Policy, or CSP, is a security standard designed to prevent a range of attacks, such as cross-site scripting (XSS) and clickjacking. By specifying trusted sources for web content, CSP helps to ensure that only authorized scripts, styles, and other resources are loaded on a website, enhancing security against code injection vulnerabilities.

There are two main ways to implement CSP on a website:

CSP includes a variety of directives that allow you to control specific types of content:

Example CSP Header:

Content-Security-Policy: default-src 'self'; img-src 'self' https://images.example.com; script-src 'self' 'unsafe-inline'

Benefits:

OWASP Security Risks

The Open Web Application Security Project, or OWASP, is a non-profit organization dedicated to improving web application security. One of its most well-known resources is the OWASP Top Ten list, which highlights critical security risks that developers should be aware of to protect their applications.

The latest OWASP Top Ten list identifies key security risks:

  1. Broken Access Control is a risk where users gain unauthorized access to resources, which can lead to data leaks and compromised functionality.
  2. Cryptographic Failures occur when sensitive data, such as passwords and personal information, isn’t adequately protected through encryption, leaving it vulnerable to attackers.
  3. Injection vulnerabilities arise when untrusted data is processed as executable code, potentially allowing attackers to manipulate the system, as seen in SQL or command injection attacks.
  4. Insecure Design highlights fundamental flaws in the application’s design that open up security risks, often due to inadequate planning for secure practices during development.
  5. Security Misconfiguration refers to improperly configured security settings, which can leave systems open to attacks if not correctly managed.
  6. Vulnerable and Outdated Components are issues that result from using outdated libraries or frameworks with known vulnerabilities, creating a weak link in the application’s security.
  7. Identification and Authentication Failures can lead to unauthorized access if authentication mechanisms are weak or improperly implemented.
  8. Software and Data Integrity Failures involve issues where code or data lacks integrity controls, making it easier for attackers to introduce malicious alterations.
  9. Security Logging and Monitoring Failures represent a lack of sufficient logging and monitoring, which can delay detection of attacks or hinder response efforts.
  10. Server-Side Request Forgery (SSRF) happens when attackers trick the server into sending requests to unintended destinations, potentially leading to unauthorized access to internal systems.

To address these risks, OWASP recommends several mitigation strategies:

OWASP provides various resources to help developers secure their applications effectively:

API Security

API security is all about protecting application programming interfaces (APIs) from malicious attacks and misuse. By ensuring that only authorized users and applications can access APIs, API security plays a crucial role in safeguarding data and maintaining the integrity of connected services.

Several key concepts form the foundation of API security:

Implementing API security effectively involves several best practices:

API Security Layers:

[Client]
   |
[Authentication Layer] -- Validates identity
   |
[Authorization Layer] -- Checks permissions
   |
[API Logic]

Authentication and Authorization

Authentication and authorization are essential security processes in controlling access to systems. While authentication verifies the identity of the user, authorization determines what resources the user is allowed to access, based on established permissions.

There are several common methods for authentication:

For authorization, different models control how access is granted:

The OAuth 2.0 framework further enhances authorization by defining roles within the access control process:

OAuth 2.0 Flow Diagram:

[Client] -- Authorization Request --> [Authorization Server]
                  |
    [User Authenticates and Authorizes]
                  |
[Client] <-- Access Token Issued -- [Authorization Server]
                  |
[Client] -- API Request with Token --> [Resource Server]

Data Encryption

Data encryption is the process of transforming readable data, known as plaintext, into an unreadable format called ciphertext. This transformation helps prevent unauthorized access, ensuring that only those with the correct decryption key can revert the data back to its original form.

There are two primary types of encryption:

Some of the most common encryption algorithms include:

In addition to encryption, hash functions play a crucial role in data security:

Encryption Workflow:

[Plaintext] -- Encryption Algorithm + Key --> [Ciphertext]
[Ciphertext] -- Decryption Algorithm + Key --> [Plaintext]

Applications:

Secure Development Practices

Secure development practices are all about embedding security measures throughout the software development lifecycle (SDLC). By addressing potential vulnerabilities from the outset, these practices help ensure that applications are both functional and secure.

Several key practices are integral to secure development:

Each phase of the SDLC has a role in maintaining security:

  1. In requirements gathering, teams define security requirements alongside functional ones, ensuring that security is a primary consideration from the start.
  2. The design phase incorporates security architecture and threat models, building a secure foundation for the application.
  3. During implementation, developers follow secure coding practices to create robust code that resists common vulnerabilities.
  4. The testing phase includes security tests in addition to traditional functional testing, allowing teams to validate the security of the application before it goes live.
  5. Deployment involves setting up secure configurations and ensuring the environment is secure. This step is essential for protecting the application as it enters production.
  6. In maintenance, teams monitor the application, apply patches, and make ongoing improvements to address new threats as they arise.

Security Monitoring and Incident Response

Security monitoring and incident response are two crucial aspects of maintaining a secure environment. Security monitoring focuses on the continuous observation of systems to detect potential threats early, while incident response is a structured approach to managing and resolving security incidents when they occur.

Various tools play a role in effective security monitoring:

The incident response process is typically organized into several phases:

  1. Preparation is the first phase, where organizations develop policies, procedures, and communication plans for handling incidents. This proactive planning helps ensure that teams are ready to respond effectively when an incident occurs.
  2. In the identification phase, the team works to detect and determine the scope of the incident, assessing the potential impact and identifying affected systems.
  3. Containment aims to limit the spread of the incident and minimize its impact. This step often involves isolating compromised systems and blocking unauthorized access.
  4. The eradication phase involves eliminating the root cause of the incident and removing any affected components from the environment to prevent recurrence.
  5. During recovery, teams restore systems and services to their normal operation, ensuring they are secure and fully functional before resuming regular activities.
  6. Finally, lessons learned provides an opportunity to analyze the incident and identify improvements for future response efforts. This reflection helps organizations strengthen their defenses and response capabilities.

An effective incident response team comprises various roles to ensure a comprehensive approach:

Vulnerability Management

Vulnerability management is a proactive process aimed at identifying, assessing, addressing, and reporting security vulnerabilities across an organization’s systems. This ongoing practice is essential for maintaining a strong security posture by reducing potential attack surfaces before they can be exploited.

The vulnerability management process includes several key steps:

  1. Asset inventory is the starting point, where you create a comprehensive list of all hardware and software assets within the organization. This inventory forms the foundation for understanding what needs to be protected.
  2. Vulnerability identification follows, using tools and scanners to uncover potential vulnerabilities. This step involves scanning systems, networks, and applications to identify areas of weakness.
  3. In risk assessment, identified vulnerabilities are prioritized based on factors like severity and potential impact. By assessing the risk level, you can focus on addressing the most critical issues first.
  4. Remediation planning involves developing strategies to address each vulnerability, which may include applying patches, updating configurations, or implementing new security measures.
  5. During mitigation and patching, you apply fixes or workarounds to resolve the vulnerabilities. This step is essential for reducing the risk of exploitation by actively addressing identified issues.
  6. Verification is the next step, where teams confirm that vulnerabilities have been successfully resolved. This may involve rescanning systems or running tests to ensure fixes are effective.
  7. Finally, reporting documents all actions taken and communicates the results to stakeholders. Clear reporting provides transparency and helps demonstrate progress in securing the organization’s assets.

There are various tools available to support vulnerability management efforts:

However, vulnerability management comes with its own set of challenges:

Adhering to legal and regulatory standards is essential for organizations to protect user data and avoid legal repercussions. These standards help ensure that personal and sensitive information is handled responsibly and ethically.

Several key regulations and standards set the framework for data protection:

To ensure compliance with these regulations, organizations engage in a variety of activities:

Non-compliance with these standards can lead to significant penalties:

Generate a CSR on Your Server

Generating a Certificate Signing Request (CSR) is an essential step in obtaining an SSL/TLS certificate, which enables HTTPS on your server and secures data transmission. The following steps guide you through generating a CSR using OpenSSL.

I. Start by generating a private key. This key is critical for your server’s security, and you’ll need it for the CSR. Use the following command:

openssl genrsa -out your_domain.com.key 2048

Here, 2048 specifies the key length in bits. A higher number generally indicates stronger encryption, though 2048 bits is standard for most cases.

II. Next, generate the CSR itself by running:

openssl req -new -key your_domain.com.key -out your_domain.com.csr

III. As part of this process, you’ll need to enter information about your organization. This information will be associated with your certificate and includes:

Field Description
Country Name (C) A two-letter country code, like US.
State or Province Name (ST) The full name of your state or province.
Locality Name (L) The name of your city.
Organization Name (O) Your organization’s legal name.
Organizational Unit Name (OU) The department within your organization, if applicable.
Common Name (CN) The Fully Qualified Domain Name (FQDN) for which you’re requesting the certificate, e.g., www.your_domain.com.
Email Address A contact email, typically for administrative purposes.

IV. After you have the .csr file, you’ll submit it to a Certificate Authority (CA). Choose a CA like Let’s Encrypt, DigiCert, or Comodo, and provide them with the CSR. The CA will verify your information and issue the SSL/TLS certificate.

V. Once you receive your certificate from the CA, you’ll need to install it on your server. This installation will include both the certificate itself and the private key you generated in the first step. Some CAs may also provide intermediate certificates, which you’ll need to install to establish a full chain of trust.

A few important considerations when generating and handling CSRs include:

Here’s a simplified diagram of the CSR generation process:

[Server]
   |
[Generate Private Key] --> (.key file)
   |
[Generate CSR] --> (.csr file)
   |
[Submit CSR to CA]
   |
[Receive SSL Certificate] --> (.crt file)
   |
[Install Certificate on Server]

If you prefer an automated solution for SSL/TLS certificates, Let’s Encrypt offers free certificates through a tool called Certbot. With Certbot, you can automate both the installation and renewal processes:

To install a certificate for an Apache server, for example, use:

sudo certbot --apache -d your_domain.com -d www.your_domain.com

Let’s Encrypt certificates are valid for 90 days, so it’s recommended to set up automated renewal to ensure your certificates remain current without manual intervention.

What happens when you enter a URL in the browser?

When you type a URL into your browser, a lot of things happen behind the scenes to fetch and show the webpage you're looking for. Here's a breakdown of that process:

I. Entering the URL

II. DNS Resolution

III. Setting Up a TCP Connection

IV. Sending HTTP Requests

V. Receiving HTTP Responses

VI. Rendering the Webpage

Table of Contents

    Protocols
    1. Foundational Concepts
      1. Internet
      2. Browsers
      3. DNS (Domain Name System)
      4. Domain Name
    2. Protocols in Action
      1. HTTP (HyperText Transfer Protocol)
      2. HTTP Request-Response Cycle Diagram
    3. Detailed Examples of HTTP Methods
      1. GET Method
      2. POST Method
    4. HTTP APIs and Standards
      1. REST (Representational State Transfer)
    5. HTTP Status Codes
    6. HTTPS (HTTP Secure)
      1. HTTPS Connection Process
      2. FTP
      3. WebSockets
      4. TCP and UDP
    7. Web Security Essentials
      1. HTTPS
      2. CORS
      3. Content Security Policy
      4. OWASP Security Risks
      5. API Security
      6. Authentication and Authorization
      7. Data Encryption
      8. Secure Development Practices
      9. Security Monitoring and Incident Response
      10. Vulnerability Management
      11. Legal and Regulatory Compliance
      12. Generate a CSR on Your Server
    8. What happens when you enter a URL in the browser?