Part of being a competent web application developer is having a solid awareness of web security issues at the level of HTTP requests and responses. All web applications are potentially vulnerable to a familiar set of attacks—such as cross-site scripting (XSS), cross-site request forgery (CSRF), and SQL injection—but we can mitigate each of these types of attacks by understanding them clearly.

The MVC Framework does not introduce significant new risks itself; it takes an easily understood bare-bones approach to handling HTTP requests and generating HTML responses, so there is little uncertainty to fear.

To begin this chapter, we'll recap how easy it is for end users to manipulate HTTP requests (for example, ...