web-security
Safeguard articles tagged "web-security" — guides, analysis, and best practices for software supply chain and application security.
90 articles
HTTP Request Smuggling: A Practical Guide
HTTP request smuggling exploits disagreements between frontend and backend servers about where one request ends and the next begins. This guide covers CL.TE, TE.CL, and TE.TE variants with detection and defense strategies.
Progressive Web App Security: The Risks Hiding in the Browser
PWAs blur the line between websites and applications. Their security model is browser-based, which introduces different risks than native applications.
Insecure Deserialization: Why Untrusted Data Should Never Become Objects
Deserialization vulnerabilities turn data into code execution. Here is how they work, which languages are most affected, and how to defend against them.
Authorization Vulnerabilities: Prevention and Best Practices
Authorization flaws let authenticated users access resources and perform actions beyond their intended permissions. Learn the most common authorization vulnerabilities and how to build robust access control systems.
Cache Poisoning Attacks: How They Work and How to Prevent Them
Cache poisoning attacks manipulate web caches to serve malicious content to other users. This guide covers web cache poisoning, DNS cache poisoning, and practical defenses for modern applications.
Template Injection (SSTI) Prevention Guide
Server-Side Template Injection turns template engines into code execution engines. This guide covers SSTI in Jinja2, Twig, Freemarker, and other engines, with detection techniques and layered defenses.
Svelte and SvelteKit Security Best Practices for Production Apps
Svelte's compile-time approach reduces runtime attack surface, but SvelteKit introduces server-side considerations that require deliberate security attention. A practical guide.
Flask Application Security: A Deep Dive
Flask gives you room to make mistakes. This is a long look at the patterns that keep Flask apps safe in 2023, covering sessions, extensions, Werkzeug, and Jinja.
Server-Side Request Forgery (SSRF): The Vulnerability That Unlocks Cloud Metadata
SSRF lets attackers reach internal services through your application. In cloud environments, that often means access to instance metadata and IAM credentials.
Authentication Bypass: Common Patterns Attackers Exploit
Authentication bypass vulnerabilities let attackers access protected resources without valid credentials. This guide covers the most common bypass patterns found in modern web applications and how to prevent each one.
Django Security and Supply Chain Guide
Securing Django applications with built-in security features, dependency management, and supply chain protections.
Subresource Integrity Failures: When CDN Trust Goes Wrong
SRI protects against CDN compromises and supply chain attacks on client-side scripts. Most web applications do not use it. Here is what they are missing.