Which statements on web applications security are true

$$ Common techniques for mitigating Cross$-$Site Scripting attacks include input validation, output encoding, and Content Security Policy.

$$ The Content Security Policy $($CSP$)$ is an opt$-$in security mechanism for web applications which allow security$-$related settings in special headers of web pages.

$$ Cross$-$Site Scripting attacks can only occur in web applications that use client$-$side scripting languages such as JavaScript.

$$ Side$-$channel attacks are only feasible against web systems that have been designed with security flaws.

Which of the following statements are correct

The SSL$/$TLS protocol is used to establish an encrypted connection in HTTPS$.$

Stored XSS attacks occur when a malicious script is included in a request to a web application and then sent back to the user.

Passwords are an insecure way to protect sensitive data.

A website with a self$-$signed certificate may be considered less secure than one with a certificate signed by a certificate authority