Safeguard
Topic

Security Guides

In-depth guides and analysis on security guides from the Safeguard engineering team.

124 articles

Security Guides

Secrets Vault Comparison Guide (2026)

A secrets manager is the difference between one rotation and a hundred. This guide compares HashiCorp Vault, AWS/Azure/GCP native stores, Doppler, and Infisical — and how to migrate off hardcoded secrets.

Jul 7, 20266 min read
Security Guides

Single-Page Application Security: Tokens, XSS, and the Public Bundle

In an SPA, one XSS is game over and your entire bundle is public. Here's how token storage, CSP, OAuth PKCE, and CORS decide whether your SPA holds.

Jul 7, 20265 min read
Security Guides

tar (node-tar) Security Guide (2026)

node-tar is the archive engine underneath npm install itself — and a cluster of path-traversal and symlink CVEs made 'just extracting a tarball' one of the more dangerous operations in the Node.js ecosystem.

Jul 7, 20266 min read
Security Guides

Auditing Yarn Dependencies: A Guide to yarn audit and yarn npm audit

Yarn Classic and Yarn Berry audit dependencies differently. Learn the right commands for each, how to enforce overrides via resolutions, and where to go further.

Jul 7, 20265 min read
Security Guides

Auditing RubyGems Dependencies with bundler-audit

bundler-audit checks your Gemfile.lock against the ruby-advisory-db and flags insecure gem sources. Here is how to run it in Ruby and Rails projects — and beyond.

Jul 6, 20265 min read
Security Guides

Cookie Security Best Practices (2026)

Session cookies are the keys to your users' accounts. Here is how to set them so they cannot be stolen, forged, or leaked: the flags, the prefixes, and the parsing pitfalls.

Jul 6, 20266 min read
Security Guides

Detecting Hardcoded Secrets in Code (2026 Guide)

Nearly 24 million secrets leaked to public GitHub in 2024 alone. This guide covers how hardcoded secrets get in, how detection actually works, and how to catch them pre-commit with real commands.

Jul 6, 20266 min read
Security Guides

.NET Secrets Management: From User Secrets to Key Vault

How to keep connection strings, API keys, and certificates out of your .NET source and images, using the Secret Manager, environment configuration, managed identities, and a real vault.

Jul 6, 20265 min read
Security Guides

Elixir and Phoenix Security Best Practices: BEAM Footguns and the Hex Supply Chain

Phoenix is safe by default, but the BEAM has its own footguns — binary_to_term, atom exhaustion, dynamic eval — and the Erlang/OTP runtime beneath it shipped a CVSS 10.0 pre-auth SSH RCE in 2025.

Jul 6, 20266 min read
Security Guides

Go Dependency Management Security: go.mod Hygiene That Actually Reduces Risk

Minimal version selection, indirect dependencies, replace directives, and the update cadence nobody documents. A practical guide to keeping your Go dependency graph both current and trustworthy.

Jul 6, 20266 min read
Security Guides

JavaScript Dependency Vulnerability Scanning: Beyond npm audit

npm audit tells you a CVE exists somewhere in your tree — not whether it can hurt you. Here is how dependency scanning really works, why reachability changes everything, and how to build a signal-rich program.

Jul 6, 20266 min read
Security Guides

JVM Supply Chain Security: Securing the Path from Source to Artifact

Your JVM supply chain spans repositories, build tools, plugins, and artifacts. Here's how to secure each link — from dependency confusion to artifact signing.

Jul 6, 20265 min read
Security Guides (Page 3) — Supply Chain Security Blog | Safeguard