The complete list of the description and prevention of each security vulnerability can be found here.

Now let's look at each one more closely:

A01:Broken Access Control

Common ones include the following:

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-201: Insertion of Sensitive Information Into Sent Data
CWE-352: Cross-Site Request Forgery(CSRF)

Description:

All descriptions are applied to the front end except this one:

CORS misconfiguration allows API access from unauthorized/untrusted origins.

Prevention:

Implement access control mechanisms once and re-use them throughout the application, including minimizing Cross-Origin Resource Sharing (CORS) usage.

Model access controls should enforce record ownership rather than accepting that the user can create, read, update, or delete any record.

Stateful session identifiers should be invalidated on the server after logout. Stateless JWT tokens should rather be short-lived so that the window of opportunity for an attacker is minimized. For longer-lived JWTs it's highly recommended to follow the OAuth standards to revoke access.

A02:Cryptographic Failures

Common ones include the following:

CWE-259: Use of Hard-coded Password
CWE-327: Broken or Risky Crypto Algorithm
CWE-331 Insufficient Entropy

Description:

all applied to the front-end.

Prevention:

All methods are applied to the front end except this one:

Do not use legacy protocols such as FTP and SMTP for transporting sensitive data.

Example of Sensitive Data Exposure;

A03:Injection

Common ones include the following:

CWE-79: Cross-site Scripting(CSS)
CWE-89: SQL Injection
CWE-73: External Control of File Name or Path

Description:

User-supplied data is not validated, filtered, or sanitized by the application.

Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.

Prevention:

The preferred option is to use a safe API, which avoids using the interpreter entirely.

ex: using innerText instead of innerHtml(DOM)

don't trust the user input, always validate the user input if the data will be processed by the interpreter.

Validate the searchParams in the URL

A04:Insecure Design

Common ones include the following:

CWE-209: Generation of Error Message Containing Sensitive Information
CWE-256: Unprotected Storage of Credentials
CWE-501: Trust Boundary Violation
CWE-522: Insufficiently Protected Credentials

Description:

An insecure design cannot be fixed by a perfect implementation as by definition.

One of the factors that contribute to insecure design is the lack of business risk profiling inherent in the software or system being developed, and thus the failure to determine what level of security design is required.

Prevention:

All are related.

Example Attack Scenarios

Scenario #1: A credential recovery workflow might include “questions and answers,” which is prohibited by NIST 800-63b, the OWASP ASVS, and the OWASP Top 10. Questions and answers cannot be trusted as evidence of identity as more than one person can know the answers, which is why they are prohibited. Such code should be removed and replaced with a more secure design.

p.s. questions and answers for password reset can still be seen on some websites nowadays.

A05:Security Misconfiguration

Common ones include the following:

CWE-16 Configuration
CWE-611 Improper Restriction of XML External Entity Reference.

Description:

Error handling reveals stack traces or other overly informative error messages to users.

For upgraded systems, the latest security features are disabled or not configured securely.

The security settings in the application servers, application frameworks (e.g., Struts, Spring, ASP.NET), libraries, databases, etc., are not set to secure values.

The software is out of date or vulnerable.

Prevention:

All methods are applied to the front end except this one:

Sending security directives to clients, e.g., Security Headers.

A06:Vulnerable and Outdated Components

Common ones include the following:

CWE-1104: Use of Unmaintained Third-Party Components

Description:

All points are applied

Prevention:

All points are applied

A07:Identification and Authentication Failures

Common ones include the following:

CWE-297: Improper Validation of Certificate with Host Mismatch
CWE-287: Improper Authentication
CWE-384: Session Fixation.

Description:

All points are applied except this one:

Permits brute force or other automated attacks.

Prevention:

Where possible, implement multi-factor authentication to prevent automated credential stuffing, brute force, and stolen credential reuse attacks

Implement weak password checks, such as testing new or changed passwords against the top 10,000 worst passwords list

Align password length, complexity, and rotation policies with the National Institute of Standards and Technology (NIST) 800-63b's guidelines in section 5.1.1 for Memorized Secrets or other modern, evidence-based password policies.

A08:Software and Data Integrity Failures

Common ones include the following:

CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CWE-494: Download of Code Without Integrity Check
CWE-502: Deserialization of Untrusted Data.

Description:

It's one paragraph and applies to the front-end as well.

Prevention:

All applied to the front end except the following two:

Ensure that your CI/CD pipeline has proper segregation, configuration, and access control to ensure the integrity of the code flowing through the build and deploy processes.

Ensure that unsigned or unencrypted serialized data is not sent to untrusted clients without some form of integrity check or digital signature to detect tampering or replay of the serialized data

A09:Security Logging and Monitoring Failures

Common ones include the following:

CWE-778 Insufficient Logging
CWE-117 Improper Output Neutralization for Logs
CWE-223 Omission of Security-relevant Information
CWE-532 Insertion of Sensitive Information into Log File

This doesn't apply to the front-end.

A10:Server-Side Request Forgery (SSRF)

It's a new category, so it doesn't have Common Weakness Enumerations(CWE) yet

As the title suggests, this is not related to client-side