Application Security
In-depth guides and analysis on application security from the Safeguard engineering team.
480 articles
Log injection attacks and how to stop forging your own audit trail
One unsanitized turns a log line into two, and a critical Log4j flaw with a CVSS score of 10.0 turned a log message into remote code execution.
RBAC vs. ABAC vs. ReBAC: choosing an access-control model for multi-tenant cloud apps
Google's Zanzibar paper (USENIX ATC 2019) showed relationship graphs authorizing access with sub-10ms latency at massive scale — here's when RBAC or ABAC beats it instead.
Nuxt 3 Security Hardening: CSP, SSR Leakage, and Safe Server Routes
Nuxt 3's server runs as one long-lived Node process — a single misplaced ref() can leak one user's data into another user's response.
The OWASP Top 10:2025, explained with minimal fix-it code
OWASP reordered its Top 10 for 2025 — Broken Access Control is back at #1 and a new Mishandling of Exceptional Conditions category debuts at #10.
Path traversal, decoded: canonicalization patterns across languages
CVE-2021-41773 turned a broken path-normalization routine in Apache 2.4.49 into remote code execution. Here's how canonicalization stops the whole bug class.
React and TypeScript security best practices for 2026
A 2025 npm phishing attack hit packages with 2.6 billion weekly downloads. Here's how React and TypeScript teams reduce XSS, API, and dependency risk.
Designing a secure Node.js API gateway: auth, rate limits, validation, and signing
CVE-2020-15084 let attackers forge JWTs against express-jwt because one algorithm check was missing — a case study in why gateways need four defense layers, not one.
Secure file uploads in Node.js and Fastify
CWE-22 path traversal climbed three spots to #5 on the 2024 CWE Top 25. Here's how to validate, store, and scan Fastify uploads without trusting the client.
Memory safety in C/C++: the vulnerability classes that won't go away
Microsoft found ~70% of its patched CVEs trace to memory-safety bugs. Here's how buffer overflows, use-after-free, and double-free still happen — and what actually catches them.
Choosing a secure Node.js web framework: Express, Fastify, Koa, and NestJS compared
None of Express, Fastify, Koa, or NestJS enable security headers, CSRF protection, or input validation by default — the defaults you inherit differ more than you'd think.
Why Math.random() is a security bug waiting to happen
A 2008 Debian OpenSSL patch cut key entropy to ~32,768 values; a 2012 scan found 0.75% of TLS certs shared keys. Weak PRNGs still cause real breaches.
Preventing mass assignment in Spring MVC and Spring Boot
CWE-915 mass assignment lets one extra JSON field turn a profile update into a privilege escalation — here's how DTOs beat @JsonIgnore in Spring.