Top 30 multiple-choice questions (MCQs) only focused on the Security Headers and Cookie Attributes of authentication attacks in WEB Security covering below topics,along with their answers and explanations.
• Explaining the role of security headers (e.g., Strict-Transport-Security) in securing authentication.
• Discussing cookie attributes (e.g., Secure, HttpOnly) for better security.
PRACTICE IT NOW TO SHARPEN YOUR CONCEPT AND KNOWLEDGE
1. What is the purpose of the Strict-Transport-Security (HSTS) header?
- Improving server performance
- Forcing the use of HTTPS
- Enabling cross-origin resource sharing
- Allowing inline scripts in web pages
HSTS enforces secure connections by instructing the browser to always use HTTPS.
2. Which security header helps prevent clickjacking attacks by ensuring that a web page can only be displayed in a frame on the same origin?
- Content-Security-Policy
- X-Content-Type-Options
- X-Frame-Options
- Referrer-Policy
X-Frame-Options header prevents a webpage from being displayed in a frame from a different origin, reducing the risk of clickjacking.
3. What does the X-Content-Type-Options header do?
- Specifies the allowed content types
- Prevents MIME type sniffing
- Sets the character encoding for the document
- Enables cross-origin resource sharing
X-Content-Type-Options with the value "nosniff" prevents browsers from MIME type sniffing, enhancing security.
4. Which header helps protect against cross-site scripting (XSS) attacks by defining a policy for the browser on how to handle content?
- Content-Security-Policy
- X-Content-Type-Options
- X-Frame-Options
- Strict-Transport-Security
Content-Security-Policy (CSP) defines a policy for loading content, mitigating the risk of XSS attacks.
5. What is the primary purpose of the Referrer-Policy header?
- Specifying the allowed referrer sources
- Preventing information leakage in referrer headers
- Configuring cross-origin resource sharing
- Enforcing the use of HTTPS
Referrer-Policy helps control the information included in the Referer header, reducing the risk of information leakage.
6. What does the "Secure" attribute in a cookie mean?
- The cookie can only be accessed over a secure (HTTPS) connection
- The cookie is encrypted
- The cookie is restricted to a specific domain
- The cookie is accessible by JavaScript
The "Secure" attribute ensures that the cookie is only sent over secure, encrypted connections.
7. How does the "HttpOnly" attribute in a cookie enhance security?
- It restricts the cookie to a specific domain
- It prevents the cookie from being accessed by JavaScript
- It encrypts the cookie data
- It allows the cookie to be accessed cross-origin
The "HttpOnly" attribute prevents JavaScript from accessing the cookie, reducing the risk of XSS attacks.
8. What does the "SameSite" attribute in a cookie define?
- The allowed cookie size
- The expiration date of the cookie
- The domain to which the cookie belongs
- The restrictions on when the cookie should be sent
"SameSite" defines when the cookie should be sent, helping mitigate cross-site request forgery (CSRF) attacks.
9. How does the "Domain" attribute in a cookie affect its accessibility?
- It limits the cookie to a specific subdomain
- It restricts the cookie to the same origin
- It specifies the expiration date of the cookie
- It allows the cookie to be accessed by any domain
The "Domain" attribute limits the cookie's accessibility to a specific domain and its subdomains.
10. Which cookie attribute helps protect against man-in-the-middle attacks by ensuring the cookie is sent only over secure connections and cannot be accessed by JavaScript?
- Secure
- HttpOnly
- SameSite
- Domain
The "HttpOnly" attribute ensures that the cookie cannot be accessed by JavaScript, enhancing security against various attacks.
11. What is the purpose of the "SameSite" attribute in a cookie?
- It specifies the cookie's domain
- It controls when the cookie should be sent
- It encrypts the cookie data
- It restricts the cookie to a specific path
The "SameSite" attribute controls when the cookie should be sent, helping prevent cross-site request forgery (CSRF) attacks.
12. How does the "Path" attribute in a cookie impact its accessibility?
- It restricts the cookie to a specific path on the server
- It specifies the domain to which the cookie belongs
- It limits the cookie to a specific subdomain
- It encrypts the cookie data
The "Path" attribute restricts the cookie to a specific path on the server, defining where the cookie is valid.
13. What does the "Expires" attribute in a cookie define?
- The allowed cookie size
- The time when the cookie will expire
- The domain to which the cookie belongs
- The restrictions on when the cookie should be sent
The "Expires" attribute specifies the time when the cookie will expire, after which it will no longer be sent by the browser.
14. Which cookie attribute helps protect against eavesdropping attacks by ensuring the cookie is transmitted only over secure, encrypted connections?
- Secure
- HttpOnly
- SameSite
- Path
The "Secure" attribute ensures that the cookie is only transmitted over secure (HTTPS) connections, enhancing confidentiality.
15. How does the "Max-Age" attribute in a cookie differ from the "Expires" attribute?
- Max-Age is in seconds, while Expires is in days
- Max-Age does not specify an expiration time
- Expires is more secure than Max-Age
- Max-Age does not restrict the cookie to a specific path
"Max-Age" specifies the maximum age of the cookie in seconds, providing a different way to define cookie expiration compared to "Expires."
16. Which security header helps prevent a browser from interpreting files as a different MIME type than declared by the server?
- Content-Security-Policy
- X-Content-Type-Options
- X-Frame-Options
- Strict-Transport-Security
X-Content-Type-Options with the value "nosniff" prevents browsers from MIME type sniffing, reducing the risk of security issues.
17. What is the purpose of the Content-Security-Policy (CSP) header?
- Forcing the use of HTTPS
- Preventing clickjacking attacks
- Defining a policy for handling content, reducing XSS risks
- Controlling information in the Referer header
CSP defines a policy for how content is loaded, mitigating the risk of cross-site scripting (XSS) attacks.
18. How does the X-Frame-Options header contribute to web security?
- By enforcing secure connections
- By preventing MIME type sniffing
- By controlling content loading policies
- By protecting against clickjacking attacks
X-Frame-Options prevents a webpage from being displayed in a frame from a different origin, enhancing security against clickjacking.
19. What does the Referrer-Policy header control?
- The allowed referrer sources
- The use of cookies
- The character encoding for the document
- The restrictions on when the cookie should be sent
Referrer-Policy controls the information included in the Referer header, managing the allowed referrer sources.
20. What does the "Secure" attribute in a cookie mean?
- The cookie can only be accessed over a secure (HTTPS) connection
- The cookie is encrypted
- The cookie is restricted to a specific domain
- The cookie is accessible by JavaScript
The "Secure" attribute ensures that the cookie is only sent over secure, encrypted connections.
21. How does the "HttpOnly" attribute in a cookie enhance security?
- It restricts the cookie to a specific domain
- It prevents the cookie from being accessed by JavaScript
- It encrypts the cookie data
- It allows the cookie to be accessed cross-origin
The "HttpOnly" attribute prevents JavaScript from accessing the cookie, reducing the risk of XSS attacks.
22. What does the "SameSite" attribute in a cookie define?
- The allowed cookie size
- The expiration date of the cookie
- The domain to which the cookie belongs
- The restrictions on when the cookie should be sent
"SameSite" defines when the cookie should be sent, helping mitigate cross-site request forgery (CSRF) attacks.
23. How does the "Domain" attribute in a cookie affect its accessibility?
- It limits the cookie to a specific subdomain
- It restricts the cookie to the same origin
- It specifies the expiration date of the cookie
- It allows the cookie to be accessed by any domain
The "Domain" attribute limits the cookie's accessibility to a specific domain and its subdomains.
24. Which cookie attribute helps protect against man-in-the-middle attacks by ensuring the cookie is sent only over secure connections and cannot be accessed by JavaScript?
- Secure
- HttpOnly
- SameSite
- Domain
The "HttpOnly" attribute ensures that the cookie cannot be accessed by JavaScript, enhancing security against various attacks.
25. Which security header helps prevent a browser from interpreting files as a different MIME type than declared by the server?
- Content-Security-Policy
- X-Content-Type-Options
- X-Frame-Options
- Strict-Transport-Security
X-Content-Type-Options with the value "nosniff" prevents browsers from MIME type sniffing, reducing the risk of security issues.
26. What is the purpose of the Content-Security-Policy (CSP) header?
- Forcing the use of HTTPS
- Preventing clickjacking attacks
- Defining a policy for handling content, reducing XSS risks
- Controlling information in the Referer header
CSP defines a policy for how content is loaded, mitigating the risk of cross-site scripting (XSS) attacks.
27. How does the X-Frame-Options header contribute to web security?
- By enforcing secure connections
- By preventing MIME type sniffing
- By controlling content loading policies
- By protecting against clickjacking attacks
X-Frame-Options prevents a webpage from being displayed in a frame from a different origin, enhancing security against clickjacking.
28. What does the Referrer-Policy header control?
- The allowed referrer sources
- The use of cookies
- The character encoding for the document
- The restrictions on when the cookie should be sent
Referrer-Policy controls the information included in the Referer header, managing the allowed referrer sources.
29. Which security header is responsible for indicating whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed>, or <object>?
- Content-Security-Policy
- X-Content-Type-Options
- X-Frame-Options
- Strict-Transport-Security
X-Frame-Options controls whether a page can be displayed in a frame, iframe, embed, or object, preventing clickjacking.
