Security Guides
In-depth guides and analysis on security guides from the Safeguard engineering team.
124 articles
How to Build a Secure npm Package (2026)
A practical checklist for shipping an npm package that resists supply chain attacks: provenance, granular tokens, minimal published files, no install scripts, and ReDoS-safe code.
How to Rotate Leaked API Keys (2026 Playbook)
A leaked API key is a live credential until you kill it. Here is a provider-agnostic rotation playbook — grounded in the Toyota T-Connect and CircleCI incidents — that revokes access without breaking production.
Is Lodash Safe? A 2026 Security Guide
Lodash powers a huge slice of the JavaScript ecosystem — and a string of prototype pollution and injection CVEs have made 'is lodash safe' a real question. Here is the honest answer for 2026.
Java Security Best Practices: A Lifecycle Approach for 2026
A practical, lifecycle-based guide to Java security in 2026 — covering input handling, cryptography, dependencies, and runtime hardening with real code.
Next.js Security Best Practices: Middleware, Server Components, and Secrets
CVE-2025-29927 let attackers skip Next.js middleware with a single header. Here is where App Router security actually breaks and how to lock it down.
Node.js Security Best Practices for 2026
A practical, runtime-aware checklist for hardening Node.js services in 2026 — from the built-in permission model and secure defaults to dependency risk, secrets, and reachability-based triage.
npm audit: The Complete Guide to Auditing Node.js Dependencies
How npm audit really works, the exact commands to run in CI, where it silently falls short, and how to close the gaps with reachability-aware SCA and autonomous fixes.
OWASP A01: Broken Access Control — A Deep-Dive Guide
Broken Access Control is the #1 OWASP Top 10 (2021) risk. A deep dive into IDOR, missing authorization, real CVEs, and how to detect and fix it in 2026.
OWASP A02: Cryptographic Failures — A Deep-Dive Guide
Cryptographic Failures rank #2 in the OWASP Top 10 (2021). A deep dive into weak algorithms, key management, real CVEs, and how to detect and fix them in 2026.
Auditing Python Dependencies with pip-audit: A Practical Guide
pip-audit is the PyPA-backed tool for scanning Python dependencies against the OSV and PyPI advisory databases. Here is how to run it well — and where it needs backup.
PyTorch Security Guide (2026)
PyTorch is the dominant deep-learning framework for research and production — and its torch.load remote-code-execution history makes loading a model checkpoint one of the most security-sensitive operations in modern ML.
React Security Best Practices: A Practical Checklist for 2026
React escapes JSX text for you, but XSS sinks, secrets in the client bundle, token storage, and a 500-package npm worm are still yours to handle.