session-security
Safeguard articles tagged "session-security" — guides, analysis, and best practices for software supply chain and application security.
8 articles
A hardening guide to securing Flask applications
Flask ships session cookies with HttpOnly on by default — but Secure, SameSite, CSRF tokens, and every security header are left entirely to you.
What is CSRF (Cross-Site Request Forgery)?
CSRF makes a logged-in user's browser perform actions they never intended — changing an email, moving money, granting access — using the victim's own session. Here's how it works and how to stop it.
Cookie Security Best Practices (2026)
Session cookies are the keys to your users' accounts. Here is how to set them so they cannot be stolen, forged, or leaked: the flags, the prefixes, and the parsing pitfalls.
Django CSRF protection and common session security miscon...
Django's CSRF defaults are solid, but wildcards, exempted webhooks, and reordered middleware quietly undo them. Here's where django csrf misconfiguration actually happens.
Cross-site request forgery (CSRF) explained
CSRF forges authenticated requests using a victim's own session cookies. Learn how real attacks against Netflix and uTorrent worked, and how to stop them.
CVE-2023-30861: Flask session cookie disclosure to templates
CVE-2023-30861 lets caching proxies leak Flask session cookies between users when responses aren't marked Vary: Cookie. Here's who's affected and how to fix it.
CSRF Attacks: How They Work and How Tokens Stop Them
A CSRF attack rides a logged-in user's browser to forge requests they never meant to send. Here is the mechanism and why anti-CSRF tokens defeat it.
Cookie Security for Modern Web Applications
Cookie misconfigurations remain one of the most common web vulnerabilities. From SameSite to cookie prefixes, here is how to configure cookies that resist session hijacking and CSRF attacks.