Safeguard
Tag

web-security

Safeguard articles tagged "web-security" — guides, analysis, and best practices for software supply chain and application security.

90 articles

Buyer's Guides

Best API Security Tools in 2026: An Honest Buyer's Guide

A balanced 2026 comparison of the leading API security tools — Salt Security, Akamai API Security, Traceable, 42Crunch, Wallarm, and StackHawk — with an honest look at where Safeguard fits.

Jul 8, 20266 min read
Security Guides

The Go Web Application Security Checklist: Server Hardening to Output Encoding

A field-tested checklist for Go web services — the http.Server timeouts nobody sets, html/template escaping traps, auth and session hygiene, and the headers that actually matter.

Jul 8, 20266 min read
Vulnerability Guides

Open Redirect Vulnerabilities: Prevention Guide

An open redirect lets an attacker use your trusted domain to send victims anywhere — the ideal setup for phishing and OAuth token theft. Here's how to build redirects that can't be abused.

Jul 8, 20265 min read
Security Guides

Preventing SSRF in Python Applications

Server-side request forgery turns your own backend into an attacker's proxy, reaching internal services and cloud metadata endpoints you never meant to expose.

Jul 8, 20265 min read
Security Guides

Preventing CSRF and XSS in ASP.NET Core

How CSRF and XSS actually work against ASP.NET Core apps, and the concrete defenses, antiforgery tokens, Razor output encoding, CSP, and SameSite cookies, that shut them down.

Jul 7, 20266 min read
Security Guides

OAuth 2.0 Security Best Practices (2026)

OAuth 2.0 is safe when you follow the current security BCP and dangerous when you follow a decade-old tutorial. Here is what RFC 9700 requires in 2026: PKCE everywhere, exact redirect matching, and sender-constrained tokens.

Jul 7, 20266 min read
Vulnerability Guides

What is CSRF (Cross-Site Request Forgery)?

CSRF makes a logged-in user's browser perform actions they never intended — changing an email, moving money, granting access — using the victim's own session. Here's how it works and how to stop it.

Jul 7, 20265 min read
Security Guides

Cookie Security Best Practices (2026)

Session cookies are the keys to your users' accounts. Here is how to set them so they cannot be stolen, forged, or leaked: the flags, the prefixes, and the parsing pitfalls.

Jul 6, 20266 min read
Vulnerability Guides

Path Traversal Vulnerability Prevention, Explained

One unvalidated filename and `../../../etc/passwd` reads files you never meant to expose — or worse, executes them. Here's how path traversal works and how to build file access that can't be tricked.

Jul 6, 20265 min read
Security Guides

Subresource Integrity (SRI) Explained (2026)

Subresource Integrity pins a cryptographic hash to every script you load from a CDN, so a compromised CDN cannot silently swap in malicious code. Here is how it works and where it stops.

Jul 5, 20265 min read
Vulnerability Guides

What is ReDoS (Regular Expression Denial of Service)?

A single badly written regular expression can freeze an entire service under a short, crafted input. This is ReDoS — and it has taken down Cloudflare and Stack Overflow. Here's how to avoid it.

Jul 5, 20265 min read
Security Guides

Securing Express Applications: A Layered Playbook

Express gives you almost no security by default. This playbook layers the middleware, headers, rate limits, session hardening, and input validation that turn a bare Express app into a defensible one — with Express 5 in mind.

Jul 4, 20265 min read
web-security — Safeguard Blog