## 🌐 Client-Server

### HTTP Cycle
1. **Request**: Browser → server (GET, POST, PUT, DELETE, PATCH; headers; body)
2. **Processing**: Routing, logic, DB operations
3. **Response**: Status codes (2xx, 4xx, 5xx), headers, body (HTML/JSON/assets)

### Network Layers

```
App: HTTP/HTTPS, REST, GraphQL
Transport: TCP/UDP, WebSockets
Internet: IP routing, DNS
Link: Ethernet, WiFi, 5G
```

### Web Servers
* **Nginx** – high performance, reverse proxy, load balancing
* **Apache** – flexible, mature
* **Caddy** – auto HTTPS
* **Cloudflare Workers** – edge/serverless

---

## 🛠️ Dev Environment

### Stack
* **Runtime**: Node.js 18+, PHP 8.1+, Python 3.11+, Docker/Podman
* **Web Server**: Nginx, Apache, Caddy
* **DB**: PostgreSQL 15+, MySQL 8+/MariaDB 10.8+, Redis, MongoDB
* **Tools**: IDEs (VS Code, Zed), extensions (languages, Docker, Git, DB)

### Setup
**Docker:**

```yaml
version: '3.8'
services:

app: { build: ., ports: ['8080:80'] }
db: { image: postgres:15, environment: { POSTGRES_DB: myapp } }

redis: { image: redis:7-alpine }
```

**Managed Services:** Vercel, Netlify, Heroku, Render, AWS, Azure, GCP
**Local:** `brew/apt install nginx postgresql redis`

---

## ⚠️ Security Risks
1. **Phishing** – fake sites; prevent with HTTPS & verification
2. **Data Theft** – unauthorized access; prevent with encryption & access control
3. **SQL Injection** – malicious input; prevent with prepared statements
4. **XSS** – script injection; prevent with output encoding
5. **Session Hijacking** – stolen sessions; prevent with secure cookies & HTTPS
6. **DoS/DDoS** – overload server
7. **CSRF** – trick users; prevent with CSRF tokens
8. **File Inclusion** – LFI/RFI attacks

---

## 🛡️ Protection
**Encryption:** HTTPS/TLS, data-at-rest encryption
**Auth:** MFA, strong passwords, RBAC
**Validation:** Input validation, prepared statements, output encoding
**Sessions:** HTTP-only, Secure cookies, session regeneration
**Headers:** CSP, X-Frame-Options, X-XSS-Protection, HSTS
**Monitoring:** Logging, audits, intrusion detection
**Updates:** Software patching, dependency management
**Prepared Statement Example:**
```php
$stmt = $pdo->prepare("SELECT * FROM users WHERE email = ?");
$stmt->execute([$email]);
$user = $stmt->fetch();
```

---

## ✅ Best Practices
* Validate & sanitize input
* Use prepared statements
* Enforce HTTPS
* Strong auth (MFA, secure passwords)
* Security headers
* Keep software updated
* Monitor & log activity
* Least privilege
* Regular audits & pentests
* Backup & recovery
---

## 📚 Resources
* [OWASP Top 10](https://owasp.org/www-project-top-ten/)
* [PHP Security](https://www.php.net/manual/en/security.php)
* [Mozilla Web Security](https://infosec.mozilla.org/guidelines/web_security)
* [CWE](https://cwe.mitre.org/)