Safeguard
Topic

Security Guides

In-depth guides and analysis on security guides from the Safeguard engineering team.

124 articles

Security Guides

How to Build a Secure npm Package (2026)

A practical checklist for shipping an npm package that resists supply chain attacks: provenance, granular tokens, minimal published files, no install scripts, and ReDoS-safe code.

Jul 1, 20265 min read
Security Guides

How to Rotate Leaked API Keys (2026 Playbook)

A leaked API key is a live credential until you kill it. Here is a provider-agnostic rotation playbook — grounded in the Toyota T-Connect and CircleCI incidents — that revokes access without breaking production.

Jul 1, 20267 min read
Security Guides

Is Lodash Safe? A 2026 Security Guide

Lodash powers a huge slice of the JavaScript ecosystem — and a string of prototype pollution and injection CVEs have made 'is lodash safe' a real question. Here is the honest answer for 2026.

Jul 1, 20266 min read
Security Guides

Java Security Best Practices: A Lifecycle Approach for 2026

A practical, lifecycle-based guide to Java security in 2026 — covering input handling, cryptography, dependencies, and runtime hardening with real code.

Jul 1, 20266 min read
Security Guides

Next.js Security Best Practices: Middleware, Server Components, and Secrets

CVE-2025-29927 let attackers skip Next.js middleware with a single header. Here is where App Router security actually breaks and how to lock it down.

Jul 1, 20266 min read
Security Guides

Node.js Security Best Practices for 2026

A practical, runtime-aware checklist for hardening Node.js services in 2026 — from the built-in permission model and secure defaults to dependency risk, secrets, and reachability-based triage.

Jul 1, 20266 min read
Security Guides

npm audit: The Complete Guide to Auditing Node.js Dependencies

How npm audit really works, the exact commands to run in CI, where it silently falls short, and how to close the gaps with reachability-aware SCA and autonomous fixes.

Jul 1, 20266 min read
Security Guides

OWASP A01: Broken Access Control — A Deep-Dive Guide

Broken Access Control is the #1 OWASP Top 10 (2021) risk. A deep dive into IDOR, missing authorization, real CVEs, and how to detect and fix it in 2026.

Jul 1, 20267 min read
Security Guides

OWASP A02: Cryptographic Failures — A Deep-Dive Guide

Cryptographic Failures rank #2 in the OWASP Top 10 (2021). A deep dive into weak algorithms, key management, real CVEs, and how to detect and fix them in 2026.

Jul 1, 20266 min read
Security Guides

Auditing Python Dependencies with pip-audit: A Practical Guide

pip-audit is the PyPA-backed tool for scanning Python dependencies against the OSV and PyPI advisory databases. Here is how to run it well — and where it needs backup.

Jul 1, 20265 min read
Security Guides

PyTorch Security Guide (2026)

PyTorch is the dominant deep-learning framework for research and production — and its torch.load remote-code-execution history makes loading a model checkpoint one of the most security-sensitive operations in modern ML.

Jul 1, 20266 min read
Security Guides

React Security Best Practices: A Practical Checklist for 2026

React escapes JSX text for you, but XSS sinks, secrets in the client bundle, token storage, and a 500-package npm worm are still yours to handle.

Jul 1, 20265 min read
Security Guides (Page 10) — Supply Chain Security Blog | Safeguard