Application Security
In-depth guides and analysis on application security from the Safeguard engineering team.
480 articles
The security case for Node.js's newer runtime features
Node's permission model went stable in v23.5.0, the built-in test runner in v20 — both quietly shrink attack surface, but neither is the sandbox teams assume it is.
Implementing SSL/TLS certificate pinning in Node.js
HTTP Public Key Pinning died in Chrome 67 back in 2018, yet Node.js apps still need pinning for mobile backends and server-to-server calls — here's how to do it without bricking your own API.
Preventing open redirect vulnerabilities in Laravel
Laravel's own ->away() helper is documented as a bypass of its URL safety checks — feed it user input and you've built an open redirect, CWE-601, into the framework's happy path.
PHP code security fundamentals: injection, deserialization, and file inclusion
PHP still powers over 70% of server-side websites, and its three oldest vulnerability classes — injection, deserialization, and file inclusion — remain the most common findings in 2026.
PHPStan vs. Psalm: setting up PHP static analysis to catch security bugs pre-commit
Psalm ships free taint analysis out of the box; PHPStan doesn't track data flow at all without extensions. Here's how to wire either one into pre-commit.
Preventing log injection in Node.js and Express
A single unescaped newline in req.body can let an attacker forge fake log entries — CWE-117 log injection still hits Node apps that log with plain string concatenation.
Preventing SQL Injection with Entity Framework
EF Core parameterizes every standard LINQ query by default — the real injection risk lives in three raw-SQL escape hatches Microsoft documents but developers still misuse.
The three dimensions of Python static analysis, and where each one blinds itself
AST scanners, taint trackers, and type checkers each solve a different problem — and each has a documented blind spot that lets real bugs through untouched.
Secure conditional rendering in React and Next.js Server Components
A CVSS 10.0 React Server Components flaw, patched in December 2025, shows why {isAdmin && <Panel/>} isn't access control — the data ships to the client either way.
ReDoS in Python and FastAPI: how one regex takes down an event loop
CVE-2024-3772 let a single crafted email string trigger catastrophic backtracking in Pydantic's own validator — the exact code path every FastAPI request body runs through.
A practical REST API hardening checklist
OWASP's 2023 API Security Top 10 still ranks broken object-level authorization as the #1 risk — here's a concrete checklist for authn, rate limiting, and input validation.
SAML SSO vulnerabilities: signature wrapping and assertion replay explained
A 2024 ruby-saml flaw (CVE-2024-45409, CVSS 9.8) let attackers forge SAML assertions and log in as any user, including admins — seven years after the same bug class was first disclosed.