Safeguard
Tag

oauth

Safeguard articles tagged "oauth" — guides, analysis, and best practices for software supply chain and application security.

21 articles

Supply Chain Attacks

Lessons from the CircleCI 2023 secrets breach

A stolen session cookie bypassed 2FA and let attackers read secrets from live memory. CircleCI's own timeline shows what fast rotation actually requires.

Jul 15, 20267 min read
Application Security

Where should your SPA store auth tokens?

OWASP has warned against localStorage tokens for years, yet it remains the default in countless SPA tutorials — one XSS bug is all it takes to exfiltrate every session.

Jul 10, 20266 min read
AI Security

Securing MCP Servers for AI Agents

Five CVEs in 2025 alone trace MCP tool compromise back to one root cause: unsanitized strings piped into exec(). Here's how to expose and consume MCP safely.

Jul 9, 20267 min read
Security Guides

OAuth 2.0 Security Best Practices (2026)

OAuth 2.0 is safe when you follow the current security BCP and dangerous when you follow a decade-old tutorial. Here is what RFC 9700 requires in 2026: PKCE everywhere, exact redirect matching, and sender-constrained tokens.

Jul 7, 20266 min read
Security Guides

Single-Page Application Security: Tokens, XSS, and the Public Bundle

In an SPA, one XSS is game over and your entire bundle is public. Here's how token storage, CSP, OAuth PKCE, and CORS decide whether your SPA holds.

Jul 7, 20265 min read
Identity Security

FBI Warns on Kali365: A PhaaS Kit That Steals M365 OAuth Tokens and Bypasses MFA (May 2026)

The FBI's May 21, 2026 IC3 advisory details Kali365, a Telegram-distributed phishing-as-a-service kit that uses device-code phishing to capture Microsoft 365 access and refresh tokens, granting password-free, MFA-immune persistence.

May 22, 202611 min read
Incident Analysis

The Vercel Breach: A Forgotten OAuth Grant Became a SaaS Supply-Chain Pivot (May 2026)

An infostealer infection at AI startup Context.ai let attackers reuse a Vercel employee's months-old Google Workspace OAuth grant to bypass MFA and exfiltrate customer environment variables. Disclosed April 2026, the fallout deepened through May.

May 12, 202612 min read
Supply Chain Attacks

Chrome Extension Cyberhaven Supply Chain Attack 2024

A technical retrospective on the 2024 Cyberhaven Chrome extension compromise: the phishing chain, the malicious OAuth flow, the exfiltration payload, and what actually changes browser-extension supply chain defense.

Mar 30, 20268 min read
AI Security

Securing MCP Servers: A Practical Checklist

MCP servers are runtime dependencies your agent trusts implicitly. Here is a concrete checklist for auth, tool pinning, sandboxing, and monitoring before you ship one.

Mar 22, 20266 min read
AI Security

MCP Server Authorization Patterns in 2026

The Model Context Protocol shifted agent integration from custom glue to a standard surface. Authorization patterns that work, and the ones that keep biting teams.

Mar 19, 20266 min read
AI Security

MCP Authentication Patterns for Enterprise

Enterprise MCP deployments need more than a static API key. The protocol is evolving toward OAuth 2.1 and dynamic client registration, and understanding which pattern fits which workload decides whether your rollout survives the first audit.

Mar 8, 20267 min read
Application Security

OAuth vs API Keys

OAuth and API keys aren't interchangeable: one is a static, long-lived credential, the other a scoped, expiring token. Here's how to choose, backed by real breaches.

Mar 8, 20267 min read
oauth — Safeguard Blog