--- title: 'Web attacks & defenses: XSS, CSRF, SQLi, SSRF, IDOR, and file uploads | DevSense' description: 'The web attacks you’ll meet most often: injections (SQL/command), XSS, CSRF, IDOR/access-control bugs, SSRF, unsafe file uploads, clickjacking, and configuration pitfalls. Practical mitigations, headers, and checklists.' faq: - { question: 'Why is sanitizing HTML input not enough to prevent SQL injection?', answer: 'SQL injection occurs when untrusted data is concatenated into database queries. Sanitizing HTML removes tags like `