Application Layer
Auth, cookies, CORS, data formats
The request carries authentication tokens, cookies, and content headers. The browser enforces same-origin policy, CORS, and CSP before the request even leaves.
How It Works
The application layer is where web security policy is enforced. Before a cross-origin request leaves the browser, the same-origin policy checks whether it's allowed. For non-simple requests (custom headers, non-GET methods), the browser sends a CORS preflight OPTIONS request asking the server 'do you accept requests from this origin?' Only if the server responds with appropriate Access-Control-Allow-* headers does the actual request proceed.
Authentication and state management ride on top of HTTP. OAuth 2.0 Bearer tokens are sent in the Authorization header. Cookies are attached automatically based on domain, path, and security flags (Secure, HttpOnly, SameSite). Content Security Policy (CSP) headers from previous responses restrict which domains the page can contact, what scripts it can run, and what content it can load β a critical defense against XSS attacks. All of this is evaluated before the request hits the network.
The Signal Flow
Key Concepts
OAuth 2.0 is the authorization framework β it lets users grant limited access to their resources without sharing passwords. OpenID Connect (OIDC) adds identity on top β it's how 'Sign in with Google' works. The result is a JWT access token in your Authorization header.
Small key-value pairs the server sets via Set-Cookie. The browser automatically sends matching cookies on every request. HttpOnly prevents JavaScript access (XSS defense). Secure requires HTTPS. SameSite prevents cross-site request forgery (CSRF).
Cross-Origin Resource Sharing. Browsers block cross-origin requests by default (same-origin policy). CORS is the opt-in mechanism: the server sends Access-Control-Allow-Origin headers telling the browser which origins are permitted.
A response header that restricts what the page can do: which scripts can execute, which URLs can be contacted, whether inline scripts are allowed. CSP is the most powerful defense against XSS β even if an attacker injects a script tag, CSP can block it from running.
Deep Dive
The JWT lifecycle
A JSON Web Token (JWT) is a compact, signed token containing claims (user ID, roles, expiration). It's Base64URL-encoded and signed with HMAC-SHA256 or RS256. The server issues a JWT after authentication; the client stores it (typically in memory or an httpOnly cookie) and sends it with each request. The server validates the signature without hitting a database β that's the performance advantage. The tradeoff: JWTs can't be revoked individually (they're valid until expiry), which is why short expiration times and refresh token rotation are critical.
How CORS preflight works
When JavaScript makes a 'non-simple' request (custom headers like Authorization, methods like PUT/DELETE, non-standard Content-Types), the browser sends an OPTIONS preflight first. The server must respond with Access-Control-Allow-Origin, -Methods, and -Headers confirming the request is acceptable. This preflight is cached (Access-Control-Max-Age) so subsequent requests skip it. The preflight mechanism exists because servers built before CORS expected that only simple form submissions would come from browsers β complex requests mean the server explicitly opted into cross-origin access.
Related Specs
Must-know specifications from the State & Sessions, Authentication & Authorization, Data Formats layers.
Sessions, auth tokens, tracking, and CSRF defenses all run through cookies. Know SameSite, Secure, HttpOnly, and domain scoping to avoid security bugs.
Every browser-side API call to a different origin hits CORS. Misconfigured CORS is a top source of dev frustration and security holes.
A well-configured CSP is the strongest mitigation against XSS. Required by modern security audits and browser hardening.
The foundation of modern app auth: third-party login, API authorization, SSO, and machine-to-machine access all use OAuth 2.0.
Every API that accepts an OAuth access token uses bearer token transport. Know the header format and the security implications of each transport method.
Required for all public clients (SPAs, mobile apps, desktop apps). If you're building a non-confidential OAuth client, PKCE is mandatory per current best practice.