Security Guides
In-depth guides and analysis on security guides from the Safeguard engineering team.
124 articles
The npm Supply Chain Security Guide
How the npm supply chain actually gets attacked — install scripts, maintainer takeovers, typosquatting, and dependency confusion — and a phased program to defend it from developer laptop to production.
SSRF Prevention in Go: Blocking Metadata, Redirects, and DNS Rebinding
A single unvalidated URL passed to net/http can hand an attacker your cloud metadata credentials. Here's how SSRF actually works against Go services — and the DialContext-level defense that stops it.
Angular Security Best Practices: Trusting the Sanitizer, Not Bypassing It
Angular sanitizes bindings by default — until a developer calls bypassSecurityTrustHtml. Here is how Angular's security model works and where teams break it.
ASP.NET Core Security Checklist for Production
A production-ready ASP.NET Core security checklist covering authentication, headers, HTTPS, antiforgery, rate limiting, and data protection, with the exact configuration for .NET 8 and .NET 9.
AWS Access Key Security Best Practices (2026)
Long-lived AWS access keys are the single most abused cloud credential. Here is how to eliminate them where you can, harden the ones you keep, and detect leaks — with real breaches and copy-paste commands.
Bun Security Best Practices (2026)
Bun is fast and Node-compatible, but unlike Deno it has no permission sandbox. Here is how to run it safely: trusted-dependency script blocking, frozen lockfiles, and real dependency auditing.
Deno Security Best Practices (2026)
Deno is secure by default, but its permission model only protects you if you use it deliberately. Here is how to run Deno with least privilege and keep its dependency graph clean.
Express.js Security Guide (2026)
Express is the default web framework for Node.js — and a small, deep dependency tree that has produced open-redirect, XSS, and ReDoS CVEs. Here is how to run Express safely in 2026.
FastAPI Security Best Practices: A 2026 Guide
FastAPI's type system catches a whole class of bugs for free, but async I/O, JWT handling, and dependency injection introduce risks that Pydantic will not save you from.
Preventing Command Injection in Go: Allowlists, Argument Safety, and Sandboxing
os/exec keeps the shell out of your way — but user-controlled binaries, flag injection, and PATH tricks still get Go services popped. Here's the prevention playbook, not just the theory.
Java Deserialization Vulnerabilities: How Gadget Chains Work and How to Stop Them
Native Java deserialization can turn a single readObject() call into remote code execution. Here's how gadget chains work and how to shut them down.
JavaScript Security: The Common Pitfalls That Keep Burning Teams
The recurring JavaScript security mistakes that show up in real breaches — unsafe deserialization, injection sinks, prototype pollution, and trusting client input — each with vulnerable and fixed code.