Safeguard
Topic

Application Security

In-depth guides and analysis on application security from the Safeguard engineering team.

480 articles

Application Security

The security case for Node.js's newer runtime features

Node's permission model went stable in v23.5.0, the built-in test runner in v20 — both quietly shrink attack surface, but neither is the sandbox teams assume it is.

Jul 8, 20267 min read
Application Security

Implementing SSL/TLS certificate pinning in Node.js

HTTP Public Key Pinning died in Chrome 67 back in 2018, yet Node.js apps still need pinning for mobile backends and server-to-server calls — here's how to do it without bricking your own API.

Jul 8, 20266 min read
Application Security

Preventing open redirect vulnerabilities in Laravel

Laravel's own ->away() helper is documented as a bypass of its URL safety checks — feed it user input and you've built an open redirect, CWE-601, into the framework's happy path.

Jul 8, 20266 min read
Application Security

PHP code security fundamentals: injection, deserialization, and file inclusion

PHP still powers over 70% of server-side websites, and its three oldest vulnerability classes — injection, deserialization, and file inclusion — remain the most common findings in 2026.

Jul 8, 20267 min read
Application Security

PHPStan vs. Psalm: setting up PHP static analysis to catch security bugs pre-commit

Psalm ships free taint analysis out of the box; PHPStan doesn't track data flow at all without extensions. Here's how to wire either one into pre-commit.

Jul 8, 20266 min read
Application Security

Preventing log injection in Node.js and Express

A single unescaped newline in req.body can let an attacker forge fake log entries — CWE-117 log injection still hits Node apps that log with plain string concatenation.

Jul 8, 20266 min read
Application Security

Preventing SQL Injection with Entity Framework

EF Core parameterizes every standard LINQ query by default — the real injection risk lives in three raw-SQL escape hatches Microsoft documents but developers still misuse.

Jul 8, 20266 min read
Application Security

The three dimensions of Python static analysis, and where each one blinds itself

AST scanners, taint trackers, and type checkers each solve a different problem — and each has a documented blind spot that lets real bugs through untouched.

Jul 8, 20266 min read
Application Security

Secure conditional rendering in React and Next.js Server Components

A CVSS 10.0 React Server Components flaw, patched in December 2025, shows why {isAdmin && <Panel/>} isn't access control — the data ships to the client either way.

Jul 8, 20266 min read
Application Security

ReDoS in Python and FastAPI: how one regex takes down an event loop

CVE-2024-3772 let a single crafted email string trigger catastrophic backtracking in Pydantic's own validator — the exact code path every FastAPI request body runs through.

Jul 8, 20266 min read
Application Security

A practical REST API hardening checklist

OWASP's 2023 API Security Top 10 still ranks broken object-level authorization as the #1 risk — here's a concrete checklist for authn, rate limiting, and input validation.

Jul 8, 20266 min read
Application Security

SAML SSO vulnerabilities: signature wrapping and assertion replay explained

A 2024 ruby-saml flaw (CVE-2024-45409, CVSS 9.8) let attackers forge SAML assertions and log in as any user, including admins — seven years after the same bug class was first disclosed.

Jul 8, 20266 min read
Application Security (Page 10) — Supply Chain Security Blog | Safeguard