website, triggering a phone call–based verification, or solving a
               Completely Automated Public Turing Test to Tell Computers and

               Humans Apart (CAPTCHA) (a mechanism to differentiate between
               humans and software robots). Another potential protection
               mechanism is to add a randomization string (called a nonce) to each
               URL request and session establishment and to check the client HTTP
               request header referrer for spoofing. End users can form more secure
               habits, such as running anti-malware scanners; using an HIDS;
               running a firewall; avoiding nonmainstream websites; always logging

               off from sites instead of closing the browser, closing the tab, or moving
               on to another URL; keeping browsers patched; and clearing out
               temporary files and cached cookies regularly.

               Additional coverage of XSS and XSRF can be found in Chapter 21,
               “Malicious Code and Application Attacks.”