Security Guides
In-depth guides and analysis on security guides from the Safeguard engineering team.
124 articles
ReDoS: Regular Expression Denial of Service in JavaScript
A single bad regex can freeze your entire Node.js event loop on one malicious request. Here is how catastrophic backtracking works, how to spot vulnerable patterns, and how to fix them without rewriting everything.
Rust Supply Chain Security: build.rs, Typosquatting, and Auditing crates.io
Rust's borrow checker guarantees memory safety in your code — and nothing about the crates you pull in. A cargo build runs arbitrary code at compile time, before any safe code executes.
WebSocket Security Guide: Origin Checks, Auth, and CSWSH
WebSockets skip the same-origin policy and don't carry your REST auth for free. Cross-site WebSocket hijacking is the flaw teams miss. Here's how to secure the handshake.
Preventing CSRF and XSS in ASP.NET Core
How CSRF and XSS actually work against ASP.NET Core apps, and the concrete defenses, antiforgery tokens, Razor output encoding, CSP, and SameSite cookies, that shut them down.
Axios Security Guide (2026)
Axios is the most popular HTTP client in the JavaScript ecosystem — and its SSRF and credential-leak CVEs make its version and configuration security-relevant. Here is how to run it safely.
Dart and Flutter Security Best Practices: Storage, Transport, and the pub.dev Supply Chain
A Flutter binary ships to both stores from one codebase — including any hardcoded secret, any disabled TLS check, and any vulnerable pub.dev package. Here is how to close each gap.
The gosec Static Analysis Guide: Rules, CI, and Taming False Positives
gosec catches hardcoded secrets, weak crypto, unsafe SQL, and command injection in Go — but only if you run it well and triage it honestly. A practical guide to the rules that matter and the noise that doesn't.
Java Secrets Management: Getting Credentials Out of Your Code
Hardcoded credentials are among the most common findings in Java codebases. Here's how to externalize, rotate, and protect secrets properly in 2026.
Node.js Docker Security Best Practices
A Node.js container is only as secure as its base image, its user, and its dependency layer. This is a Dockerfile-by-Dockerfile walkthrough of hardening a Node app image — multi-stage builds, non-root, distroless, and layer hygiene.
OAuth 2.0 Security Best Practices (2026)
OAuth 2.0 is safe when you follow the current security BCP and dangerous when you follow a decade-old tutorial. Here is what RFC 9700 requires in 2026: PKCE everywhere, exact redirect matching, and sender-constrained tokens.
OWASP A09: Security Logging and Monitoring Failures — A Deep-Dive Guide
Security Logging and Monitoring Failures rank #9 in the OWASP Top 10 (2021). A deep dive into undetected breaches, dwell time, real incidents, and how to fix it.
Secrets Management for Python Applications
Hard-coded API keys and .env files committed to git are still the fastest route into a Python app. Here is how to keep secrets out of your code and your history.