LOGBOOK

HELP

Quiz Entry - updated: 2026.06.26

What makes a web application different from a traditional desktop application from a security perspective?

It talks to a server over HTTP (a stateless protocol) and runs inside a browser shared with other apps — so it inherits the browser's quirks and threat model.

Three security-relevant consequences flow from this:

  • HTTP is stateless ⇒ the app has to invent its own "memory" (cookies, hidden fields, sessions), and every state-carrying mechanism is a potential attack surface.
  • Many apps share one browser ⇒ without isolation (Same-Origin Policy), evil.com could read your bank's cookies. The browser provides isolation; the app must use it correctly.
  • The app inherits browser features ⇒ if the browser supports JavaScript, your app can be attacked via XSS. If the browser auto-fills cookies, you can be hit by CSRF. You can't opt out — only mitigate.

Tip: A desktop app's threat model is mostly "the user and the OS". A web app's threat model adds "every other tab in the user's browser, the network in between, and the server that hosts it."

From Quiz: ISF / Web Application Security Basics | Updated: Jun 26, 2026