authorization
Safeguard articles tagged "authorization" — guides, analysis, and best practices for software supply chain and application security.
25 articles
Broken object-level authorization in Kubernetes integrations: CVE-2023-1065
One leaked Integration ID was enough to pollute a Snyk customer's findings — CVE-2023-1065 shows why possession of an identifier is not authorization.
Securing gRPC APIs: mTLS, Interceptors, and Input Validation
CVE-2023-44487 knocked grpc-go services offline with a Rapid Reset flood — a reminder that gRPC ships fast, insecure by default, and needs hardening at every layer.
OAuth 2.0 Security Best Practices (2026)
OAuth 2.0 is safe when you follow the current security BCP and dangerous when you follow a decade-old tutorial. Here is what RFC 9700 requires in 2026: PKCE everywhere, exact redirect matching, and sender-constrained tokens.
REST API Security Best Practices: The OWASP API Top 10 in Practice
Most API breaches aren't exotic — they're broken object-level authorization and missing rate limits. A practical walk through the OWASP API Security Top 10.
GraphQL API Security: Introspection, Depth Limits, and Authorization
GraphQL's flexibility is its attack surface. Nested queries, introspection, and per-field authorization all fail differently than REST. Here's how to secure them.
Mass Assignment Vulnerability: How to Prevent It
Mass assignment lets attackers set fields you never meant to expose — like isAdmin or accountBalance — by adding them to a request body. Here is the fix.
Authentication vs Authorization: What's the Difference?
Authentication proves who you are. Authorization decides what you're allowed to do. One is the ID check at the door; the other is the list of rooms you can enter.
OWASP A01: Broken Access Control — A Deep-Dive Guide
Broken Access Control is the #1 OWASP Top 10 (2021) risk. A deep dive into IDOR, missing authorization, real CVEs, and how to detect and fix it in 2026.
Defending LLM agents against confused-deputy attacks on their tool privileges
An LLM agent with tools is a deputy that holds privileges its users do not. Attackers exploit that gap by tricking the agent into using those privileges on their behalf — here is how to design defenses that hold up.
MCP Server Authorization Patterns in 2026
The Model Context Protocol shifted agent integration from custom glue to a standard surface. Authorization patterns that work, and the ones that keep biting teams.
AI Agent Tool Confused Deputy Problem in 2026
A senior engineer's take on the confused deputy problem in AI agent tool use, why it keeps reappearing in 2026, and the architectural patterns that actually fix it.
What is GraphQL Security
GraphQL's flexibility creates unique risks—excessive data exposure, DoS via nested queries, and broken field-level authorization. Here's how to defend it.