XSS (Cross Site Scripting)
XSS enables attackers to inject client-side script into Web pages viewed by other users.
CSRF (Cross Site Request Forgery)
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.
- insert hidden field for csrf_token, and verify every form post.
- insert CSRF token in the response header, and need users to send back it with the post data.
- always verify the referer header