Safeguard
Tag

application-security

Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.

613 articles

AI Security

LLM-assisted vulnerability autofixing: approaches and how to validate the patches

At DARPA's AIxCC finals in August 2025, AI systems patched 68% of vulnerabilities they found — up from 25% at semifinals. Here's how the approaches differ and why validation still matters most.

Jul 8, 20267 min read
Application Security

The security cost of long-lived HTTP connections

Keep-alive and HTTP/2 multiplexing cut handshake overhead but hold server resources open per connection — Slowloris and 2023's Rapid Reset attacks both exploited exactly that tradeoff.

Jul 8, 20266 min read
Application Security

The Security Implications of Misconfigured CORS in Node.js APIs

One line of Express middleware — reflecting Origin back with credentials: true — turns CORS from a browser protection into an authenticated data-exfiltration channel.

Jul 8, 20266 min read
Application Security

CSRF in Node.js: attack mechanics and modern mitigation

Express has never shipped CSRF protection in core, and its most popular middleware, csurf, was archived in 2022 — here's what actually replaces it.

Jul 8, 20267 min read
Application Security

Node.js vs Deno vs Bun: comparing their security models

Only one of the three major JavaScript runtimes denies system access by default — Node's permission model only went stable in v23.5.0, and Bun still has none.

Jul 8, 20266 min read
Application Security

When Node.js sandboxing stops at the C++ boundary

Node's permission model can block a native addon from loading at all — but once it's in, a single buffer overflow in C++ can corrupt the whole process.

Jul 8, 20267 min read
Application Security

The security case for Node.js's newer runtime features

Node's permission model went stable in v23.5.0, the built-in test runner in v20 — both quietly shrink attack surface, but neither is the sandbox teams assume it is.

Jul 8, 20267 min read
Application Security

Implementing SSL/TLS certificate pinning in Node.js

HTTP Public Key Pinning died in Chrome 67 back in 2018, yet Node.js apps still need pinning for mobile backends and server-to-server calls — here's how to do it without bricking your own API.

Jul 8, 20266 min read
Application Security

Preventing open redirect vulnerabilities in Laravel

Laravel's own ->away() helper is documented as a bypass of its URL safety checks — feed it user input and you've built an open redirect, CWE-601, into the framework's happy path.

Jul 8, 20266 min read
Application Security

PHP code security fundamentals: injection, deserialization, and file inclusion

PHP still powers over 70% of server-side websites, and its three oldest vulnerability classes — injection, deserialization, and file inclusion — remain the most common findings in 2026.

Jul 8, 20267 min read
Application Security

PHPStan vs. Psalm: setting up PHP static analysis to catch security bugs pre-commit

Psalm ships free taint analysis out of the box; PHPStan doesn't track data flow at all without extensions. Here's how to wire either one into pre-commit.

Jul 8, 20266 min read
Application Security

Preventing log injection in Node.js and Express

A single unescaped newline in req.body can let an attacker forge fake log entries — CWE-117 log injection still hits Node apps that log with plain string concatenation.

Jul 8, 20266 min read
application-security (Page 10) — Safeguard Blog