After six months hardening a production web app against XSS and CSRF attacks, this guide covers what actually works: output encoding, nonce-based CSP, CSRF tokens, SameSite cookies, and security headers — with practical Python and Nginx code examples.