Safeguard
Topic

Application Security

In-depth guides and analysis on application security from the Safeguard engineering team.

480 articles

Application Security

Mass assignment in Node, Express, and Mongoose apps

One unfiltered req.body.role field can turn a signup form into an admin-creation endpoint — here's how mass assignment happens in Node and how to stop it.

Jul 14, 20266 min read
Application Security

Mass assignment in Python: how setattr and **kwargs turn request bodies into privilege escalation

One unguarded setattr() loop can let a JSON body set is_admin directly — the same bug class that let a researcher add his key to Rails' GitHub org in 2012.

Jul 14, 20266 min read
Application Security

Why Node.js's vm module is not a security sandbox

Node's own docs warn the vm module isn't a security mechanism — vm2, built on top of it, still shipped two CVSS 9.8 sandbox escapes in 2023.

Jul 14, 20266 min read
Application Security

Detecting and preventing Zip Slip and path traversal in Java

Snyk's 2018 Zip Slip disclosure hit Amazon, Apache, and LinkedIn projects at once — here's how the flaw still hides in Java archive code today, and how to catch it.

Jul 14, 20265 min read
Application Security

Preventing path traversal in Node.js file upload and serving code

path.join() doesn't stop ../../etc/passwd — CVE-2024-12905 and Zip Slip show why Node.js needs explicit containment checks, not just path normalization.

Jul 14, 20266 min read
Application Security

Preventing XSS in Django applications

Django escapes template output by default, but mark_safe() and format_html() misuse routinely reopen the exact XSS holes auto-escaping was built to close.

Jul 14, 20266 min read
Application Security

ssl vs. requests vs. httpx: where Python TLS configuration goes wrong

Python didn't verify TLS certificates by default until PEP 476 landed in 2014 — a decade later, one stray verify=False call still reopens that exact hole.

Jul 14, 20265 min read
Application Security

XSS defaults and escape hatches: React, Vue, and Angular compared

All three major frameworks escape output by default, but each ships a named escape hatch that turns raw HTML back on — and only one sanitizes it automatically.

Jul 14, 20266 min read
Application Security

API gateway security: enforcing authN/authZ and rate limits at the edge

A single unauthenticated API endpoint exposed 37 million T-Mobile accounts in 2023. Edge-enforced authZ and identity-aware rate limits are how you prevent the repeat.

Jul 13, 20266 min read
Application Security

API security fundamentals: mapping the OWASP API Top 10 to real tests

OWASP's 2023 API Security Top 10 lists 10 risk categories — most start with a single curl request. Here's how to test and fix each one.

Jul 13, 202611 min read
Application Security

Finding and fixing XXE vulnerabilities across common XML parsers

XXE is tracked as CWE-611 and lives in OWASP's misconfiguration category — because most XML parsers ship unsafe by default.

Jul 13, 20267 min read
Application Security

A practical guide to HTTP security headers: CSP, HSTS, and beyond

A misconfigured checkout page let attackers skim 380,000+ card payments from British Airways in 2018. Here's how CSP, HSTS, and frame-ancestors actually stop attacks like that.

Jul 13, 20266 min read
Application Security (Page 3) — Supply Chain Security Blog | Safeguard