Most web security attacks are based on doing unexpected things to user input to fool the website into doing something it shouldn't. As web developers we all know this, but it's hard to keep track of all the exploits that are out there and it's easy to overlook things. The attacks that target the users of a website, work by making them enter unexpected input without them realising it. This often relies on them being logged on to the target site in question so their browser is authenticated when the user clicks on a link in a phishing email.

These notes are about how to avoid making a site …