Web security resources

General resources

Headers

HTTP Strict Transport Security (HSTS)

Developers don't understand CORS

Cross-Site Scripting (XSS) / Cross-Site Script Inclusion (XSSI)

CSS Injections

Open redirects

Cache poisoning / request smuggling

Insecure direct object reference (IDOR)

IDOR (Insecure direct object reference)

Creative injections

CRLF injection on Twitter or why blacklists fail

URI exploitation

Abusing of protocols to upload local files, bypass the HTML5 sandbox, and open popups (Edge)

Scanning

Exposing intranets with reliable browser-based port scanning