Day2: Building Secured Applications
CSRF tokens ARE visible in frontend.
If user opens:
DevTools, Inspect, console, page source,they can see token.
Then Why Is It Still Secure?
Because:
only the CURRENT authenticated user/browser can access their own token.
Day2: Building Secured Applications
This is one of the MOST common real-world vulnerabilities.
And honestly:
many beginners accidentally create this vulnerability without realizing it.
@cosmicc1444 That's like stealing someone's house key's photo and trying to open the door with the photo itself. 😆
The lock wants the actual key (password), not a picture of it (hash).
@cosmicc1444 Absolutely. Security starts when user input is treated strictly as data, not executable code. Parameterized queries and proper input validation are fundamental to preventing vulnerabilities like SQL injection.
Day1 : Building a Secured Application
If attackers already have the hash values from the database, can’t they just use those hashes as passwords?
The website login system does NOT say:
“Give me the hash.”
It says:
“Give me the original password.”
Then it verifies to match.
Day 1: Building a Secured Application
The real issue:
Whether input is treated as DATA or CODE.
That’s the entire security concept.
Separate SQL logic from user data!