Security Glossary
Every security term your scanner mentions, explained without jargon.
.
A
Authentication vs Authorization: The Difference That Gets Apps Hacked
Authentication proves who you are. Authorization decides what you can do. Confusing the two is how most vibe-coded apps get breached.
API Security Basics: Don't Expose Your Endpoints
APIs are the backbone of modern apps, and the most common attack target. Learn the basics of API security and the OWASP API Security Top 10.
What is an Open Redirect Vulnerability?
Open redirects let attackers use your domain to send users to malicious sites. Learn how they work and how to prevent them.
B
C
What is Clickjacking? X-Frame-Options Explained
Clickjacking tricks users into clicking hidden buttons by embedding your site in an iframe. Learn how X-Frame-Options and CSP frame-ancestors prevent it.
CORS Explained: Why Your Browser Blocks Requests
CORS errors are the bane of every developer's life. Learn what Cross-Origin Resource Sharing actually is, why browsers enforce it, and how to fix it.
What is Content Security Policy (CSP)?
Content Security Policy tells browsers which scripts and resources to trust. Learn how CSP works, why it matters, and how to set it up.
What is CSRF? Cross-Site Request Forgery Explained
CSRF tricks your browser into making requests you didn't intend. Learn how the attack works, why cookies make it possible, and how to prevent it.
What is Cross-Site Scripting (XSS)?
XSS lets attackers inject malicious scripts into your website. Learn the three types of XSS, real examples, and how to prevent them.
F
H
What is HSTS? HTTP Strict Transport Security Explained
HSTS forces browsers to use HTTPS on every request. Learn what it does, why it matters, and how to enable it on your site.
HttpOnly, Secure, SameSite: Cookie Security Explained
Cookies store session data, but insecure cookies are easy targets. Learn what HttpOnly, Secure, and SameSite flags do and why they matter.
J
R
Rate Limiting: Stop Bots From Draining Your API Credits
Without rate limiting, one script can burn through your OpenAI credits overnight. Learn what rate limiting is, why AI tools never add it, and how to implement it in Next.js.
What is Referrer-Policy and Should You Care?
Referrer-Policy controls what URL information your browser shares when navigating between pages. Learn why it matters and which value to use.
What is Row Level Security (RLS) in Supabase?
Row Level Security controls who can read and write each row in your database. Learn how RLS works in Supabase and PostgreSQL, and why skipping it is dangerous.
robots.txt: What It Does (and Doesn't Do) for Security
robots.txt tells crawlers which pages to skip, but it's not a security mechanism. Learn what it actually does and common misconceptions.
S
What is SQL Injection? The #1 Database Attack Explained
SQL injection lets attackers read, modify, or delete your entire database through a form field. Learn how it works, why AI-generated code is often vulnerable, and how to prevent it.
The Complete Guide to Security Headers
Security headers protect your site from common attacks. Learn which headers matter, what they do, and how to add them to your site.
Are Your Source Maps Leaking Your Code?
Source maps can expose your original source code to anyone. Learn what source maps are, why they're useful in dev, and why they're dangerous in production.
SPF, DKIM, DMARC: Stop Attackers From Spoofing Your Emails
SPF, DKIM, and DMARC are email authentication protocols that prevent attackers from sending emails as your domain. Learn how they work together.
SSL vs TLS: What's the Difference and Why It Matters
SSL and TLS encrypt your website traffic. Learn the difference between them, why SSL is dead, and what TLS version you should use.
Supabase Security Checklist for Vibe Coders
Supabase exposes your database to the internet. Here's the security checklist every Supabase developer needs to follow.