Safeguard
Topic

Application Security

In-depth guides and analysis on application security from the Safeguard engineering team.

480 articles

Application Security

Log injection attacks and how to stop forging your own audit trail

One unsanitized turns a log line into two, and a critical Log4j flaw with a CVSS score of 10.0 turned a log message into remote code execution.

Jul 15, 20265 min read
Application Security

RBAC vs. ABAC vs. ReBAC: choosing an access-control model for multi-tenant cloud apps

Google's Zanzibar paper (USENIX ATC 2019) showed relationship graphs authorizing access with sub-10ms latency at massive scale — here's when RBAC or ABAC beats it instead.

Jul 15, 20266 min read
Application Security

Nuxt 3 Security Hardening: CSP, SSR Leakage, and Safe Server Routes

Nuxt 3's server runs as one long-lived Node process — a single misplaced ref() can leak one user's data into another user's response.

Jul 15, 20266 min read
Application Security

The OWASP Top 10:2025, explained with minimal fix-it code

OWASP reordered its Top 10 for 2025 — Broken Access Control is back at #1 and a new Mishandling of Exceptional Conditions category debuts at #10.

Jul 15, 20269 min read
Application Security

Path traversal, decoded: canonicalization patterns across languages

CVE-2021-41773 turned a broken path-normalization routine in Apache 2.4.49 into remote code execution. Here's how canonicalization stops the whole bug class.

Jul 15, 20266 min read
Application Security

React and TypeScript security best practices for 2026

A 2025 npm phishing attack hit packages with 2.6 billion weekly downloads. Here's how React and TypeScript teams reduce XSS, API, and dependency risk.

Jul 15, 20266 min read
Application Security

Designing a secure Node.js API gateway: auth, rate limits, validation, and signing

CVE-2020-15084 let attackers forge JWTs against express-jwt because one algorithm check was missing — a case study in why gateways need four defense layers, not one.

Jul 15, 20266 min read
Application Security

Secure file uploads in Node.js and Fastify

CWE-22 path traversal climbed three spots to #5 on the 2024 CWE Top 25. Here's how to validate, store, and scan Fastify uploads without trusting the client.

Jul 15, 20266 min read
Application Security

Memory safety in C/C++: the vulnerability classes that won't go away

Microsoft found ~70% of its patched CVEs trace to memory-safety bugs. Here's how buffer overflows, use-after-free, and double-free still happen — and what actually catches them.

Jul 14, 20267 min read
Application Security

Choosing a secure Node.js web framework: Express, Fastify, Koa, and NestJS compared

None of Express, Fastify, Koa, or NestJS enable security headers, CSRF protection, or input validation by default — the defaults you inherit differ more than you'd think.

Jul 14, 20266 min read
Application Security

Why Math.random() is a security bug waiting to happen

A 2008 Debian OpenSSL patch cut key entropy to ~32,768 values; a 2012 scan found 0.75% of TLS certs shared keys. Weak PRNGs still cause real breaches.

Jul 14, 20266 min read
Application Security

Preventing mass assignment in Spring MVC and Spring Boot

CWE-915 mass assignment lets one extra JSON field turn a profile update into a privilege escalation — here's how DTOs beat @JsonIgnore in Spring.

Jul 14, 20266 min read
Application Security (Page 2) — Supply Chain Security Blog | Safeguard