Security Guides
In-depth guides and analysis on security guides from the Safeguard engineering team.
124 articles
GitHub Token Security (2026 Guide)
GitHub tokens are keys to your source, your CI, and often your cloud. This guide covers PATs, fine-grained tokens, GitHub App and Actions tokens — and how to scope, store, and rotate them after the CircleCI and Heroku token thefts.
SQL Injection in Go: Why database/sql Is Safe Until You Reach for Sprintf
database/sql gives Go parameterized queries for free — yet SQL injection still ships in Go services through dynamic query building, ORM escape hatches, and misused identifiers. Here's the line you can't cross.
Auditing Go Modules with govulncheck
govulncheck is unusual: it uses static analysis to tell you not just which Go dependencies are vulnerable, but whether your code actually reaches the vulnerable function.
HTTP Security Headers Explained (2026)
HTTP security headers are the cheapest defense-in-depth you can ship. Here is what each one does, the values to set in 2026, and how to verify they are actually present.
Maven Dependency Security: Pinning, Verification, and Scanning
How to secure a Maven build in 2026 — pin versions, enforce convergence, verify artifacts, and scan the transitive tree that pom.xml never shows you.
Preventing SSRF in Node.js Applications
Server-Side Request Forgery is the bug that turns a harmless URL field into a doorway to your cloud metadata service. Here is how SSRF works in Node.js and how to shut it down with allowlists and DNS-safe validation.
OWASP A05: Security Misconfiguration — A Deep-Dive Guide
Security Misconfiguration ranks #5 in the OWASP Top 10 (2021) and absorbed XXE. A deep dive into defaults, exposed services, real CVEs, and how to fix them.
pandas Security Guide (2026)
pandas is the backbone of Python data analysis — and while its own CVE record is thin, the read_pickle deserialization risk is real, the query/eval expression engine invites injection, and most 'pandas findings' actually live in its dependency tree.
Preventing SQL Injection in Python
SQL injection is decades old and still ships to production. In Python it almost always comes down to one habit: building query strings instead of passing parameters.
Rails Security Best Practices: Strong Parameters, SQL, and Gems
Rails ships secure defaults, but mass assignment, string-interpolated SQL, and unvetted gems still cause real breaches. Here is how to hold the line.
Requests (Python) Security Guide (2026)
The Requests library is how most Python code talks HTTP — and a recurring class of credential-leak-on-redirect CVEs makes its version and config genuinely security-relevant.
Swift and iOS Security Best Practices: Storage, Transport, and the Dependency Supply Chain
iOS gives you a hardware-backed Keychain, Data Protection, and App Transport Security. Most iOS app breaches come from switching those defaults off — and from unaudited SwiftPM dependencies.