Skip to main content
HashnodeCode as a StoryCode as a Story

Command Palette

Search for a command to run...

CORS vs CSP vs CSRF vs XSS — Differences Every Developer Must Understand

Stop treating all web security concepts the same

Updated
6 min read
CORS vs CSP vs CSRF vs XSS — Differences Every Developer Must Understand
S
Sreeram K S
Senior Software Engineer with 7+ years in Java, Spring Boot, and scalable backend systems. I help engineers crack backend/full-stack interviews, improve system design, and transition into cloud and AI with practical, real-world guidance.
Part of seriesThe Real - Real Basics

CORS, CSP, CSRF, XSS : They all sound similar, they all show up when something breaks in your frontend or backend and they all somehow feel like “security things.”

So it’s natural to assume “Aren’t these all solving the same problem?”

Well.. they’re not. In fact, mixing them up is one of the most common sources of confusion for developers, especially when debugging real production issues.

The Core Problem

Let’s set one thing straight, these are not the same category of concepts. They fall into two very different buckets one being Attacks and the other Protections (things browsers/servers enforce)

If you don’t separate this clearly in your mind, everything else becomes blurry. So in this blog, we’re not going deep into any of these concepts but we’re doing something more important. We’re building clarity.

Let’s look at each one, briefly and cleanly. Because you need to know what its is even if the goal is to differentiate them. So Here we go

XSS (Cross-Site Scripting)

XSS happens when user input is treated as executable code.

Imagine a user enters something into a form but instead of plain text, it contains JavaScript. If your application blindly renders it, the browser executes it. That means someone else’s code is now running inside your application.

The core idea here is Untrusted input becomes executable code*.*

CSRF (Cross-Site Request Forgery)

CSRF is about requests being sent without the user’s intention.

Imagine another scenario, the user is already logged in somewhere. Their browser automatically attaches cookies to requests. An attacker tricks the browser into making a request and the server thinks it’s legitimate. The user didn’t click anything but an action still happened.

The core idea here is a request is made using your identity, without your intent

CORS (Cross-Origin Resource Sharing)

CORS is not an attack, its a browser rule. Its about who is allowed to talk to whom.

It’s a browser-enforced rule that controls whether one origin (e.g., frontend.com) can talk to another origin (api.com). If the server doesn’t explicitly allow it, the browser blocks the response.

The core idea here is browser restricts cross-origin communication

CSP (Content Security Policy)

CSP is a defense mechanism. Even if malicious code reaches the browser, CSP can stop it from running.

It tells the browser "Which scripts are allowed", "Which domains are trusted" and "What can be executed". If something doesn’t match the policy, it gets blocked.

The core idea here is browser restricts what can execute.

How They Relate

This is where most confusion happens. These in itself are individual concepts but its also important to understand how they interact or relate with one another.

  • CSP helps prevent XSS - XSS is the attempt by an attacker to execute injected scripts. CSP can block those scripts from running.

  • CSRF is completely different from XSS - XSS, if you strip it down to most basic level, is a code execution problem, whereas CSRF is a request forgery problem. They don’t overlap, they attack different layers of the application.

  • CORS is often misunderstood as “security” - CORS is not protecting your backend from attackers. It is a browser rule, not a server-side security mechanism. Attackers can still hit your APIs using tools like Postman or curl. CORS only affects browsers, not the internet at large.

To make it a bit more easier here is a simple comparison

Concept Type What Problem It Solves Who Enforces It
XSS Attack Malicious scripts running in browser N/A (attacker-driven)
CSRF Attack Unauthorized actions using user session N/A (attacker-driven)
CORS Protection Controls cross-origin requests Browser
CSP Protection Controls what scripts/resources can run Browser

Real-World Flow

Let’s walk through a simple scenario. Imagine this :

  • Step 1: You open your favorite social media app or website and you’ve logged in. Now your session is active and cookies are set. Everything feels normal.

  • Step 2: You write a comment on a post and click submit. And you wanted to recheck if the comment you had just typed has any mistakes or not. Now here’s the risky part where XSS can happen here. If the application does not properly handle user input:

    • A malicious attacker (another user) who knew there was no security, posted a comment with a piece of code in it.

    • That script gets stored (or reflected)

    • And when you / others view the comment, the browser might execute that script as if it’s trusted.

  • Step 3: Now if the application handles the user input correctly, the comment section loads and comments are displayed. This is where CSP comes into play. Even if a malicious script was injected earlier via another comment, CSP acts like a gatekeeper and stop it from executing. “This script is not from an allowed source, block it”

  • Step 4: Now the social media app loads more data such as likes, insights, user profile, etc. CORS comes into play here. If the frontend tries to call an API from another domain, the browser checks if that domain is allowed and If its not, the request is blocked

  • Step 5: Now things get interesting. You’re still logged into the social media site in one tab and In another tab, you open some random/untrusted page. CSRF risk happens here, if the social media website has not accounted for it.

    • If CSRF Protections are not considered, that malicious page can trigger a request to the social media site. Your browser automatically attaches cookies and the server thinks “This is a valid user request”. But you never intended it.

    • If CSRF header tokens are enabled then the call from the untrusted page gets blocked.

In one flow, all four exist—but do very different things.

Concluding Thoughts

CORS, CSP, CSRF, and XSS are often grouped together, but they shouldn’t be. They solve different problems at different layers:

  • Two are attacks (XSS, CSRF)

  • Two are protections (CSP, CORS)

And once you see that clearly debugging, designing, and securing systems becomes much simpler. If you want to go deeper into each concept:

If someone asks you now “Which of these is an attack vs a protection?” You should be able to answer instantly.

And that’s the point.

#web-security#javascript#backend#frontend-development#security#xss#csrf#cors#csp#software-engineering#full-stack#web-development#developer

Comments

Join the discussion

No comments yet. Be the first to comment.

The Real - Real Basics

Part 12 of 12

If you’ve ever felt like tech concepts are explained *just one layer too high*, this series is for you. **“The Real – Real Basics”** is not about definitions. It’s about **understanding what’s actually happening underneath**. Most resources jump straight into something like “This is a process”, “This is a thread” and “This is memory” But they rarely answer basic doubts like *Why do these things even exist?*, *What problem are they solving?*, *What is the computer actually doing behind the scenes?* which may arise in everyone's mind. --- ## What you’ll learn This track covers the foundations every developer *uses daily* but often doesn’t fully understand the very basic of the basics starting from *What is a Computer (beyond keyboard + screen)* to *How everything connects in real systems* --- ## Who this is for This is a supplement for *Beginners* trying to build strong fundamentals, *Developers* preparing for interviews, *Engineers* who “use things” but want to "understand them deeply" Also just to clarify these are individual blogs that can help you understand what you have already been using or would be using in you current/new role. This is not a guided course. --- ## What to expect I plan to write these blogs in a simple easy to understand language that can help connect the "layman" in us to the "coder" in us. I'll try my level best to make the blogs be with story-driven explanations, clear mental models, real backend/system relevance and no unnecessary jargon (which is very hard to do, so when I use something and any clarity is required on those, Ill try to include what that means in the blog itself and if I miss anything please let me know in comments). --- ## End goal By the end of this series, you won’t just *know* concepts, you’ll be able to **visualize them, reason about them, and use them with confidence in real systems.** --- This is where your foundation stops being *memorized* and starts becoming **intuitive**.

Start from the beginning

What is a Computer?

From Hardware to Code — and why it’s just like a human

More from this blog

C

Code as a Story

13 posts

Code as a Story Simply breaks down computer science and backend concepts into clear, story-driven explanations. No jargon or textbook overload, just intuitive understanding backed by real world engineering insights. Learn how things actually work, not just how to use them.