Application Security
In-depth guides and analysis on application security from the Safeguard engineering team.
480 articles
Mass assignment in Node, Express, and Mongoose apps
One unfiltered req.body.role field can turn a signup form into an admin-creation endpoint — here's how mass assignment happens in Node and how to stop it.
Mass assignment in Python: how setattr and **kwargs turn request bodies into privilege escalation
One unguarded setattr() loop can let a JSON body set is_admin directly — the same bug class that let a researcher add his key to Rails' GitHub org in 2012.
Why Node.js's vm module is not a security sandbox
Node's own docs warn the vm module isn't a security mechanism — vm2, built on top of it, still shipped two CVSS 9.8 sandbox escapes in 2023.
Detecting and preventing Zip Slip and path traversal in Java
Snyk's 2018 Zip Slip disclosure hit Amazon, Apache, and LinkedIn projects at once — here's how the flaw still hides in Java archive code today, and how to catch it.
Preventing path traversal in Node.js file upload and serving code
path.join() doesn't stop ../../etc/passwd — CVE-2024-12905 and Zip Slip show why Node.js needs explicit containment checks, not just path normalization.
Preventing XSS in Django applications
Django escapes template output by default, but mark_safe() and format_html() misuse routinely reopen the exact XSS holes auto-escaping was built to close.
ssl vs. requests vs. httpx: where Python TLS configuration goes wrong
Python didn't verify TLS certificates by default until PEP 476 landed in 2014 — a decade later, one stray verify=False call still reopens that exact hole.
XSS defaults and escape hatches: React, Vue, and Angular compared
All three major frameworks escape output by default, but each ships a named escape hatch that turns raw HTML back on — and only one sanitizes it automatically.
API gateway security: enforcing authN/authZ and rate limits at the edge
A single unauthenticated API endpoint exposed 37 million T-Mobile accounts in 2023. Edge-enforced authZ and identity-aware rate limits are how you prevent the repeat.
API security fundamentals: mapping the OWASP API Top 10 to real tests
OWASP's 2023 API Security Top 10 lists 10 risk categories — most start with a single curl request. Here's how to test and fix each one.
Finding and fixing XXE vulnerabilities across common XML parsers
XXE is tracked as CWE-611 and lives in OWASP's misconfiguration category — because most XML parsers ship unsafe by default.
A practical guide to HTTP security headers: CSP, HSTS, and beyond
A misconfigured checkout page let attackers skim 380,000+ card payments from British Airways in 2018. Here's how CSP, HSTS, and frame-ancestors actually stop attacks like that.