Safeguard
Topic

Security Guides

In-depth guides and analysis on security guides from the Safeguard engineering team.

124 articles

Security Guides

GitHub Token Security (2026 Guide)

GitHub tokens are keys to your source, your CI, and often your cloud. This guide covers PATs, fine-grained tokens, GitHub App and Actions tokens — and how to scope, store, and rotate them after the CircleCI and Heroku token thefts.

Jul 3, 20266 min read
Security Guides

SQL Injection in Go: Why database/sql Is Safe Until You Reach for Sprintf

database/sql gives Go parameterized queries for free — yet SQL injection still ships in Go services through dynamic query building, ORM escape hatches, and misused identifiers. Here's the line you can't cross.

Jul 3, 20266 min read
Security Guides

Auditing Go Modules with govulncheck

govulncheck is unusual: it uses static analysis to tell you not just which Go dependencies are vulnerable, but whether your code actually reaches the vulnerable function.

Jul 3, 20265 min read
Security Guides

HTTP Security Headers Explained (2026)

HTTP security headers are the cheapest defense-in-depth you can ship. Here is what each one does, the values to set in 2026, and how to verify they are actually present.

Jul 3, 20265 min read
Security Guides

Maven Dependency Security: Pinning, Verification, and Scanning

How to secure a Maven build in 2026 — pin versions, enforce convergence, verify artifacts, and scan the transitive tree that pom.xml never shows you.

Jul 3, 20265 min read
Security Guides

Preventing SSRF in Node.js Applications

Server-Side Request Forgery is the bug that turns a harmless URL field into a doorway to your cloud metadata service. Here is how SSRF works in Node.js and how to shut it down with allowlists and DNS-safe validation.

Jul 3, 20266 min read
Security Guides

OWASP A05: Security Misconfiguration — A Deep-Dive Guide

Security Misconfiguration ranks #5 in the OWASP Top 10 (2021) and absorbed XXE. A deep dive into defaults, exposed services, real CVEs, and how to fix them.

Jul 3, 20266 min read
Security Guides

pandas Security Guide (2026)

pandas is the backbone of Python data analysis — and while its own CVE record is thin, the read_pickle deserialization risk is real, the query/eval expression engine invites injection, and most 'pandas findings' actually live in its dependency tree.

Jul 3, 20266 min read
Security Guides

Preventing SQL Injection in Python

SQL injection is decades old and still ships to production. In Python it almost always comes down to one habit: building query strings instead of passing parameters.

Jul 3, 20265 min read
Security Guides

Rails Security Best Practices: Strong Parameters, SQL, and Gems

Rails ships secure defaults, but mass assignment, string-interpolated SQL, and unvetted gems still cause real breaches. Here is how to hold the line.

Jul 3, 20265 min read
Security Guides

Requests (Python) Security Guide (2026)

The Requests library is how most Python code talks HTTP — and a recurring class of credential-leak-on-redirect CVEs makes its version and config genuinely security-relevant.

Jul 3, 20266 min read
Security Guides

Swift and iOS Security Best Practices: Storage, Transport, and the Dependency Supply Chain

iOS gives you a hardware-backed Keychain, Data Protection, and App Transport Security. Most iOS app breaches come from switching those defaults off — and from unaudited SwiftPM dependencies.

Jul 3, 20266 min read
Security Guides (Page 7) — Supply Chain Security Blog | Safeguard