Here are Top 25 multiple-choice questions (MCQs) focused on the HTML5 features and elements in Security Best Practices MCQs, along with their answers and explanations.
1. What does the HTTP header "X-Content-Type-Options" with the value "nosniff" do?
- Prevents the browser from rendering the page if MIME types are not specified
- Enables cross-origin resource sharing
- Allows inline scripts and styles in the content
- Disables cookies for a specific domain
The "X-Content-Type-Options" header with the value "nosniff" prevents the browser from rendering a page if MIME types are not specified, helping to mitigate MIME-based attacks.
2. What does the "Content Security Policy" (CSP) HTTP header do?
- Specifies the preferred content encoding for the response
- Prevents clickjacking attacks
- Defines the allowed sources of content that the browser may load
- Controls browser caching behavior
The "Content Security Policy" (CSP) HTTP header defines the allowed sources of content that the browser may load, helping to prevent cross-site scripting (XSS) and other code injection attacks.
3. Which HTTP header helps prevent clickjacking attacks by controlling who can embed the web page?
- X-Content-Type-Options
- Content-Security-Policy
- X-Frame-Options
- X-XSS-Protection
The "X-Frame-Options" HTTP header helps prevent clickjacking attacks by controlling who can embed the web page in an iframe.
4. What does the "Strict-Transport-Security" (HSTS) HTTP header do?
- Provides secure user authentication
- Forces the browser to load resources over HTTPS
- Enforces a strong password policy
- Enables two-factor authentication
The "Strict-Transport-Security" (HSTS) HTTP header forces the browser to load resources over HTTPS, helping to ensure secure communication.
5. Which HTTP header instructs the browser to block mixed content (HTTP content on an HTTPS page)?
- Access-Control-Allow-Origin
- Content-Security-Policy
- X-Frame-Options
- X-Content-Type-Options
The "Content-Security-Policy" (CSP) HTTP header can be used to instruct the browser to block mixed content, enhancing security for HTTPS pages.
6. What does the HTTP header "X-XSS-Protection" with the value "1; mode=block" do?
- Enforces strict password policies
- Blocks JavaScript code injection attempts
- Enables two-factor authentication
- Disables browser caching
The "X-XSS-Protection" header with the value "1; mode=block" helps block JavaScript code injection attempts, enhancing security against cross-site scripting (XSS) attacks.
7. What does "Clickjacking" refer to in web security?
- A type of social engineering attack
- A method to secure server hardware
- An attack that tricks users into clicking on hidden malicious elements
- A way to accelerate content delivery
Clickjacking is an attack that tricks users into clicking on hidden malicious elements by overlaying them on top of legitimate content.
8. Which HTTP header allows you to specify who can make cross-origin requests to your web server?
- X-Frame-Options
- X-Content-Type-Options
- Content-Security-Policy
- Access-Control-Allow-Origin
The "Access-Control-Allow-Origin" header allows you to specify who can make cross-origin requests to your web server, helping to prevent cross-origin issues.
9. What is the primary purpose of the "Referrer-Policy" HTTP header?
- To specify the preferred content encoding for the response
- To control how the browser handles the "Referer" header in requests
- To disable cookies for a specific domain
- To prevent clickjacking attacks
The "Referrer-Policy" HTTP header controls how the browser handles the "Referer" header in requests, helping to protect user privacy.
10. What does the "Expect-CT" HTTP header do?
- Forces the browser to load resources over HTTPS
- Enforces a strong password policy
- Instructs the browser to check that certificates are valid and issued by trusted Certificate Authorities (CAs)
- Enables two-factor authentication
The "Expect-CT" HTTP header instructs the browser to check that certificates are valid and issued by trusted Certificate Authorities (CAs), enhancing certificate transparency.
11. Which HTTP header is used to specify the preferred content encoding for the response?
- X-Frame-Options
- Content-Security-Policy
- X-Content-Type-Options
- Content-Encoding
The "Content-Encoding" header is used to specify the preferred content encoding for the response, such as gzip or deflate compression.
12. What is "SQL Injection" in web security?
- An attack that tricks users into clicking on hidden malicious elements
- A type of social engineering attack
- An attack that allows unauthorized access to a web server
- An attack that exploits vulnerabilities in SQL queries to manipulate a database
SQL Injection is an attack that exploits vulnerabilities in SQL queries to manipulate a database, potentially gaining unauthorized access.
13. What does the "Cross-Origin Embedder Policy" (COEP) HTTP header do?
- Enforces a strong password policy
- Allows cross-origin requests to access certain resources
- Specifies the preferred content encoding for the response
- Controls how cross-origin content is embedded in a page
The "Cross-Origin Embedder Policy" (COEP) HTTP header controls how cross-origin content is embedded in a page, enhancing security.
14. Which HTTP header is used to control how cross-origin content is embedded in a page?
- X-Content-Type-Options
- Content-Security-Policy
- Referrer-Policy
- Cross-Origin-Embedder-Policy
The "Cross-Origin-Embedder-Policy" header is used to control how cross-origin content is embedded in a page, enhancing security.
15. What is the primary goal of a "Security Assessment" in web security?
- To control browser caching behavior
- To impersonate a legitimate user
- To identify and evaluate security risks and vulnerabilities
- To enable cross-origin resource sharing
The primary goal of a Security Assessment is to identify and evaluate security risks and vulnerabilities in a system or application.
16. What does "Cross-Site Scripting" (XSS) refer to in web security?
- A type of social engineering attack
- A method to secure server hardware
- An attack that exploits vulnerabilities in SQL queries
- An attack that injects malicious scripts into web pages viewed by other users
Cross-Site Scripting (XSS) is an attack that injects malicious scripts into web pages viewed by other users, potentially leading to various security risks.
17. Which HTTP header is used to control how the browser handles the "Referer" header in requests?
- X-Frame-Options
- X-XSS-Protection
- Referrer-Policy
- Content-Security-Policy
The "Referrer-Policy" HTTP header controls how the browser handles the "Referer" header in requests, helping to protect user privacy.
18. What does the "Cross-Site Request Forgery" (CSRF) attack do?
- Manipulates a web application's session
- Impersonates a legitimate user
- Forces the browser to load resources over HTTPS
- Executes malicious actions on behalf of an authenticated user without their consent
The Cross-Site Request Forgery (CSRF) attack executes malicious actions on behalf of an authenticated user without their consent.
19. What is the primary goal of a "Penetration Test" in web security?
- To enforce a strong password policy
- To enable cross-origin resource sharing
- To identify and exploit vulnerabilities in a system
- To evaluate the security of a system by simulating attacks
The primary goal of a Penetration Test is to evaluate the security of a system by simulating attacks and identifying vulnerabilities.
20. Which HTTP header helps prevent MIME-based attacks by specifying the preferred content type for the response?
- Content-Encoding
- X-Content-Type-Options
- X-Frame-Options
- Referrer-Policy
The "X-Content-Type-Options" header helps prevent MIME-based attacks by specifying the preferred content type for the response.
21. What does "Cross-Site Request Forgery" (CSRF) refer to in web security?
- A type of social engineering attack
- A way to accelerate content delivery
- An attack that tricks users into revealing sensitive information
- An attack that forces an authenticated user to perform actions without their consent
Cross-Site Request Forgery (CSRF) is an attack that forces an authenticated user to perform actions without their consent.
22. Which HTTP header enforces a strong password policy for user authentication?
- X-Frame-Options
- Strict-Transport-Security
- Access-Control-Allow-Origin
- Content-Security-Policy
The "Strict-Transport-Security" (HSTS) HTTP header enforces the use of HTTPS for secure user authentication.
23. What does the HTTP header "Expect-CT" do?
- Specifies the preferred content encoding for the response
- Enforces a strong password policy
- Instructs the browser to check that certificates are valid and issued by trusted Certificate Authorities (CAs)
- Prevents cross-origin requests
The "Expect-CT" header instructs the browser to check that certificates are valid and issued by trusted Certificate Authorities (CAs), enhancing certificate transparency.
24. Which HTTP header is used to specify a strong password policy for user authentication?
- X-Content-Type-Options
- X-XSS-Protection
- Strict-Transport-Security
- Access-Control-Allow-Origin
The "Strict-Transport-Security" (HSTS) header enforces the use of HTTPS, ensuring secure user authentication.
25. What does "MIME" stand for in the context of web security?
- Multiple Input, Multiple Output
- Multi-Instance, Multi-Environment
- Message Integrity, Message Encryption
- Multipurpose Internet Mail Extensions
"MIME" stands for Multipurpose Internet Mail Extensions and is used to define the types of files that can be included as email attachments and displayed in web browsers.