web-security
Safeguard articles tagged "web-security" — guides, analysis, and best practices for software supply chain and application security.
90 articles
What is Clickjacking
Clickjacking tricks users into clicking hidden UI via invisible iframes. Learn how it works, real incidents, key CVEs, and how to defend against it.
Cross-site scripting (XSS) explained for developers
XSS has topped vulnerability lists for two decades. Here's how reflected, stored, and DOM-based XSS actually work, real incidents, and how to fix them.
Directory listing exposure risks explained
Directory listing vulnerabilities expose raw file trees via one misconfigured Apache, Nginx, or IIS directive. Here's how they happen and how to fix them.
Subresource integrity bypass explained
SRI hashes can't stop what happens before the hash is made. How polyfill.io, British Airways, and event-stream exposed real gaps in browser integrity checks.
CRLF injection and HTTP response splitting explained
CRLF injection lets attackers forge HTTP headers and split responses. Here's how it works, real CVEs behind it, and how to detect and stop it.
Best DAST tools for web application security testing
A practical comparison of DAST tools -- from OWASP ZAP to Invicti -- covering real strengths, limitations, and what Safeguard adds beyond runtime scanning.
CORS Misconfiguration Vulnerabilities
CORS misconfiguration vulnerabilities let attackers steal authenticated API data with a single reflected Origin header. Here's how they happen and how to catch them before release.
CVE-2020-11022: XSS in jQuery via htmlPrefilter
CVE-2020-11022 lets attacker-controlled HTML bypass sanitization via jQuery's htmlPrefilter, enabling XSS in versions before 3.5.0. Impact, timeline, and fixes.
CVE-2022-34265: SQL injection via Trunc/Extract database ...
A technical breakdown of CVE-2022-34265, the Django SQL injection flaw in Trunc() and Extract(), covering affected versions, risk, and remediation steps.
Webhooks Security: A Practical Checklist
Webhooks security is easy to get wrong because the endpoint has to trust an unauthenticated inbound request by default — here's the checklist that closes the common gaps.
How to Run a Website Security Check (Free and Paid Methods)
A step-by-step website security check using free tools and paid platforms, from a quick URL scanner pass to authenticated scans and dependency analysis.
Security Plugins for CMS and App Platforms: What They Actually Do
A security plugin can harden a CMS meaningfully, but it can't fix a vulnerable core install or a poorly coded theme — it's a layer, not a replacement for patching.