Safeguard
Topic

Security Guides

In-depth guides and analysis on security guides from the Safeguard engineering team.

124 articles

Security Guides

ReDoS: Regular Expression Denial of Service in JavaScript

A single bad regex can freeze your entire Node.js event loop on one malicious request. Here is how catastrophic backtracking works, how to spot vulnerable patterns, and how to fix them without rewriting everything.

Jul 8, 20266 min read
Security Guides

Rust Supply Chain Security: build.rs, Typosquatting, and Auditing crates.io

Rust's borrow checker guarantees memory safety in your code — and nothing about the crates you pull in. A cargo build runs arbitrary code at compile time, before any safe code executes.

Jul 8, 20267 min read
Security Guides

WebSocket Security Guide: Origin Checks, Auth, and CSWSH

WebSockets skip the same-origin policy and don't carry your REST auth for free. Cross-site WebSocket hijacking is the flaw teams miss. Here's how to secure the handshake.

Jul 8, 20265 min read
Security Guides

Preventing CSRF and XSS in ASP.NET Core

How CSRF and XSS actually work against ASP.NET Core apps, and the concrete defenses, antiforgery tokens, Razor output encoding, CSP, and SameSite cookies, that shut them down.

Jul 7, 20266 min read
Security Guides

Axios Security Guide (2026)

Axios is the most popular HTTP client in the JavaScript ecosystem — and its SSRF and credential-leak CVEs make its version and configuration security-relevant. Here is how to run it safely.

Jul 7, 20266 min read
Security Guides

Dart and Flutter Security Best Practices: Storage, Transport, and the pub.dev Supply Chain

A Flutter binary ships to both stores from one codebase — including any hardcoded secret, any disabled TLS check, and any vulnerable pub.dev package. Here is how to close each gap.

Jul 7, 20266 min read
Security Guides

The gosec Static Analysis Guide: Rules, CI, and Taming False Positives

gosec catches hardcoded secrets, weak crypto, unsafe SQL, and command injection in Go — but only if you run it well and triage it honestly. A practical guide to the rules that matter and the noise that doesn't.

Jul 7, 20266 min read
Security Guides

Java Secrets Management: Getting Credentials Out of Your Code

Hardcoded credentials are among the most common findings in Java codebases. Here's how to externalize, rotate, and protect secrets properly in 2026.

Jul 7, 20265 min read
Security Guides

Node.js Docker Security Best Practices

A Node.js container is only as secure as its base image, its user, and its dependency layer. This is a Dockerfile-by-Dockerfile walkthrough of hardening a Node app image — multi-stage builds, non-root, distroless, and layer hygiene.

Jul 7, 20265 min read
Security Guides

OAuth 2.0 Security Best Practices (2026)

OAuth 2.0 is safe when you follow the current security BCP and dangerous when you follow a decade-old tutorial. Here is what RFC 9700 requires in 2026: PKCE everywhere, exact redirect matching, and sender-constrained tokens.

Jul 7, 20266 min read
Security Guides

OWASP A09: Security Logging and Monitoring Failures — A Deep-Dive Guide

Security Logging and Monitoring Failures rank #9 in the OWASP Top 10 (2021). A deep dive into undetected breaches, dwell time, real incidents, and how to fix it.

Jul 7, 20267 min read
Security Guides

Secrets Management for Python Applications

Hard-coded API keys and .env files committed to git are still the fastest route into a Python app. Here is how to keep secrets out of your code and your history.

Jul 7, 20265 min read
Security Guides (Page 2) — Supply Chain Security Blog | Safeguard