XSS, CSRF, injection, and misconfiguration—practical prevention aligned with headers and secure coding.