Security Glossary

API key exposure occurs when secret credentials intended for server-side use are accidentally included in client-side code, version control, or public assets where unauthorized parties can access them.

Authentication bypass is a class of vulnerabilities that allows attackers to gain access to protected resources or user accounts without providing valid credentials.

Broken access control occurs when an application fails to properly enforce restrictions on what authenticated users are allowed to do, enabling them to access unauthorized resources or perform unauthorized actions.

A brute force attack is a trial-and-error method where an attacker systematically attempts many passwords, passphrases, or encryption keys to gain unauthorized access to an account or system.

Certificate pinning is a security technique where an application associates a specific cryptographic certificate or public key with a host, rejecting connections if the server presents a different certificate, even if it is technically valid.

Clickjacking is a visual deception attack where a malicious website places transparent iframes over visible content, tricking users into clicking hidden elements that perform unintended actions on a target site.

Content Security Policy is an HTTP response header that instructs browsers to only load resources (scripts, styles, images, fonts) from explicitly approved sources, providing a strong defense against XSS and data injection attacks.

Content Security Policy is a security standard implemented via HTTP headers that allows web applications to declare which content sources are trusted, providing granular control over script execution, resource loading, and frame embedding.

CORS is a browser security mechanism that controls which external domains can make requests to your API by using HTTP headers to relax the same-origin policy selectively.

CORS is an HTTP header-based mechanism that allows servers to indicate which origins are permitted to read their responses, providing a controlled way to relax the same-origin policy for legitimate cross-origin requests.

CSRF is an attack that forces an authenticated user's browser to send unintended requests to a web application where they are currently logged in.

Cross-Site Scripting (XSS) is a vulnerability that allows attackers to inject malicious client-side scripts into web pages viewed by other users.

Cryptographic failures occur when sensitive data is not properly protected through encryption, hashing, or key management, leading to data exposure, integrity violations, or authentication bypasses.

Environment variables are key-value pairs set outside your application code that store configuration values and secrets, keeping sensitive data like API keys and database passwords out of source code.

HSTS is a security header that instructs browsers to only connect to your site via HTTPS, preventing protocol downgrade attacks and cookie hijacking over insecure connections.

HttpOnly is a cookie attribute that prevents client-side JavaScript from accessing the cookie through document.cookie, protecting session tokens and other sensitive cookies from theft via XSS attacks.

Injection attacks are a class of vulnerabilities where an attacker sends untrusted data to an interpreter as part of a command or query, causing unintended execution of the attacker's instructions.

Input validation is the practice of checking all data received from users and external sources against expected formats, types, lengths, and ranges before processing it, serving as the first line of defense against injection attacks.

IDOR is an access control vulnerability where an application exposes internal object references (like database IDs) and fails to verify that the requesting user is authorized to access the referenced object.

JWT security encompasses the practices and potential pitfalls of using JSON Web Tokens for authentication and authorization, including proper signing, validation, and storage to prevent token forgery and information leakage.

A man-in-the-middle attack occurs when an attacker secretly intercepts and potentially alters communications between two parties who believe they are communicating directly with each other.

OAuth vulnerabilities are security flaws in the implementation of OAuth 2.0 authorization flows that can lead to access token theft, account takeover, or unauthorized access to protected resources.

An open redirect is a vulnerability where an application accepts a user-controlled URL parameter and redirects the browser to it without validation, enabling attackers to redirect users to malicious sites using a trusted domain.

Output encoding is the practice of converting special characters in data into their safe equivalents before rendering them in a specific output context (HTML, JavaScript, URLs, CSS), preventing injection attacks like XSS.

Privilege escalation is an attack where a user gains access to resources or capabilities beyond their authorized permission level, either by elevating to a higher role or accessing another user's resources at the same level.

Rate limiting is a technique that controls the number of requests a client can make to an API or service within a defined time window, protecting against abuse, brute force attacks, and resource exhaustion.

Row Level Security is a PostgreSQL feature that restricts which rows a user can access in a database table based on security policies defined at the database level.

The same-origin policy is a fundamental browser security mechanism that restricts how documents and scripts from one origin can interact with resources from another origin, preventing malicious sites from accessing data on other sites.

SameSite is a cookie attribute that controls whether the browser sends the cookie with cross-site requests, providing built-in CSRF protection by restricting when cookies travel across site boundaries.

Secret management is the practice of securely storing, accessing, distributing, and rotating sensitive credentials like API keys, database passwords, encryption keys, and service tokens throughout an application's lifecycle.

The Secure attribute on a cookie instructs the browser to only include the cookie in requests sent over HTTPS encrypted connections, preventing the cookie from being transmitted in plaintext over HTTP.

Security headers are HTTP response headers that instruct browsers to enable specific security features, providing defense-in-depth against common web attacks like XSS, clickjacking, and data leakage.

Security misconfiguration is a broad vulnerability category where insecure default settings, incomplete configurations, verbose error messages, or unnecessary features leave an application exposed to attack.

SSRF is a vulnerability where an attacker tricks a server into making HTTP requests to unintended destinations, typically internal resources that are not directly accessible from the internet.

Session hijacking is an attack where an adversary takes over a legitimate user's session by obtaining or forging their session identifier, gaining unauthorized access to their account.

SQL injection is a code injection attack where malicious SQL statements are inserted into application queries through unsanitized user input, allowing attackers to read, modify, or delete database contents.

Subresource Integrity is a browser security feature that verifies resources loaded from external sources (CDNs, third-party hosts) have not been tampered with, by comparing the resource content against a cryptographic hash embedded in the HTML.

Vulnerable dependencies are third-party packages and libraries used by your application that contain known security vulnerabilities, potentially exposing your application to the same risks.