Security Guides
In-depth guides and analysis on security guides from the Safeguard engineering team.
124 articles
Secrets Vault Comparison Guide (2026)
A secrets manager is the difference between one rotation and a hundred. This guide compares HashiCorp Vault, AWS/Azure/GCP native stores, Doppler, and Infisical — and how to migrate off hardcoded secrets.
Single-Page Application Security: Tokens, XSS, and the Public Bundle
In an SPA, one XSS is game over and your entire bundle is public. Here's how token storage, CSP, OAuth PKCE, and CORS decide whether your SPA holds.
tar (node-tar) Security Guide (2026)
node-tar is the archive engine underneath npm install itself — and a cluster of path-traversal and symlink CVEs made 'just extracting a tarball' one of the more dangerous operations in the Node.js ecosystem.
Auditing Yarn Dependencies: A Guide to yarn audit and yarn npm audit
Yarn Classic and Yarn Berry audit dependencies differently. Learn the right commands for each, how to enforce overrides via resolutions, and where to go further.
Auditing RubyGems Dependencies with bundler-audit
bundler-audit checks your Gemfile.lock against the ruby-advisory-db and flags insecure gem sources. Here is how to run it in Ruby and Rails projects — and beyond.
Cookie Security Best Practices (2026)
Session cookies are the keys to your users' accounts. Here is how to set them so they cannot be stolen, forged, or leaked: the flags, the prefixes, and the parsing pitfalls.
Detecting Hardcoded Secrets in Code (2026 Guide)
Nearly 24 million secrets leaked to public GitHub in 2024 alone. This guide covers how hardcoded secrets get in, how detection actually works, and how to catch them pre-commit with real commands.
.NET Secrets Management: From User Secrets to Key Vault
How to keep connection strings, API keys, and certificates out of your .NET source and images, using the Secret Manager, environment configuration, managed identities, and a real vault.
Elixir and Phoenix Security Best Practices: BEAM Footguns and the Hex Supply Chain
Phoenix is safe by default, but the BEAM has its own footguns — binary_to_term, atom exhaustion, dynamic eval — and the Erlang/OTP runtime beneath it shipped a CVSS 10.0 pre-auth SSH RCE in 2025.
Go Dependency Management Security: go.mod Hygiene That Actually Reduces Risk
Minimal version selection, indirect dependencies, replace directives, and the update cadence nobody documents. A practical guide to keeping your Go dependency graph both current and trustworthy.
JavaScript Dependency Vulnerability Scanning: Beyond npm audit
npm audit tells you a CVE exists somewhere in your tree — not whether it can hurt you. Here is how dependency scanning really works, why reachability changes everything, and how to build a signal-rich program.
JVM Supply Chain Security: Securing the Path from Source to Artifact
Your JVM supply chain spans repositories, build tools, plugins, and artifacts. Here's how to secure each link — from dependency confusion to artifact signing.