Safeguard
Tag

application-security

Safeguard articles tagged "application-security" — guides, analysis, and best practices for software supply chain and application security.

613 articles

Application Security

Why Node.js's vm module is not a security sandbox

Node's own docs warn the vm module isn't a security mechanism — vm2, built on top of it, still shipped two CVSS 9.8 sandbox escapes in 2023.

Jul 14, 20266 min read
Application Security

Detecting and preventing Zip Slip and path traversal in Java

Snyk's 2018 Zip Slip disclosure hit Amazon, Apache, and LinkedIn projects at once — here's how the flaw still hides in Java archive code today, and how to catch it.

Jul 14, 20265 min read
Application Security

Preventing path traversal in Node.js file upload and serving code

path.join() doesn't stop ../../etc/passwd — CVE-2024-12905 and Zip Slip show why Node.js needs explicit containment checks, not just path normalization.

Jul 14, 20266 min read
Application Security

Preventing XSS in Django applications

Django escapes template output by default, but mark_safe() and format_html() misuse routinely reopen the exact XSS holes auto-escaping was built to close.

Jul 14, 20266 min read
Application Security

ssl vs. requests vs. httpx: where Python TLS configuration goes wrong

Python didn't verify TLS certificates by default until PEP 476 landed in 2014 — a decade later, one stray verify=False call still reopens that exact hole.

Jul 14, 20265 min read
Application Security

XSS defaults and escape hatches: React, Vue, and Angular compared

All three major frameworks escape output by default, but each ships a named escape hatch that turns raw HTML back on — and only one sanitizes it automatically.

Jul 14, 20266 min read
Application Security

API gateway security: enforcing authN/authZ and rate limits at the edge

A single unauthenticated API endpoint exposed 37 million T-Mobile accounts in 2023. Edge-enforced authZ and identity-aware rate limits are how you prevent the repeat.

Jul 13, 20266 min read
Application Security

API security fundamentals: mapping the OWASP API Top 10 to real tests

OWASP's 2023 API Security Top 10 lists 10 risk categories — most start with a single curl request. Here's how to test and fix each one.

Jul 13, 202611 min read
Application Security

Finding and fixing XXE vulnerabilities across common XML parsers

XXE is tracked as CWE-611 and lives in OWASP's misconfiguration category — because most XML parsers ship unsafe by default.

Jul 13, 20267 min read
Application Security

A practical guide to HTTP security headers: CSP, HSTS, and beyond

A misconfigured checkout page let attackers skim 380,000+ card payments from British Airways in 2018. Here's how CSP, HSTS, and frame-ancestors actually stop attacks like that.

Jul 13, 20266 min read
Application Security

Java deserialization gadget chains explained

One 2015 talk and a tool called ysoserial turned ordinary Java libraries into remote code execution chains — here's how gadget chains work and how to stop them.

Jul 13, 20266 min read
Application Security

Using Jakarta Bean Validation correctly: a defensive walkthrough

Jakarta Bean Validation stops malformed input, not attackers — a 2025 Hibernate Validator EL-injection flaw (CVSS 7.3) shows what goes wrong when teams conflate the two.

Jul 13, 20267 min read
application-security (Page 3) — Safeguard Blog