Browse by Category

+ added · ✎ updated 7d

⚖ Terms of Use

Security terms

89 terms of 1444 total · page 1 of 5

🔒 Defending code from the threats that never sleep

Security vulnerabilities do not announce themselves — they wait quietly in code that looks perfectly fine on the surface. This category covers attack vectors, defensive techniques, secure coding practices, and the mental models that help you think like an attacker before one finds you. From SQL injection and XSS to authentication flaws and cryptographic pitfalls, understanding these terms is not optional — it is professional responsibility.

Sort A → Z Recently Added Recently Updated Difficulty Most Viewed Most Rated Most Shared

Level All Beginner Intermediate Advanced

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

NoSQL Injection PHP 5.4+

Attacker-controlled input embedded into NoSQL queries (MongoDB, Redis, Couchbase) that subverts query intent — bypassing auth, exfiltrating data, or executing server-side code.

CWE-943 OWASP A3:2021

1w ago security intermediate 8.8

Server-Side Includes (SSI) Injection

Attacker-controlled SSI directives (``) injected into pages parsed by Apache or another SSI-enabled server, achieving file disclosure or remote command execution.

CWE-97 OWASP A3:2021

1w ago security intermediate 9.8

Software Composition Analysis (SCA)

The practice and tooling for identifying all open-source and third-party components in a codebase, detecting known vulnerabilities (CVEs) in them, and flagging licence risks — distinct from static analysis of your own code.

3w ago security intermediate

Brute-Force Protection

Defences against automated credential-guessing attacks — rate limiting login attempts, account lockout, CAPTCHA, and multi-factor authentication to make guessing passwords computationally infeasible.

CWE-307 OWASP A7:2021

4w ago security intermediate

An authorisation framework that lets users grant third-party applications limited access to their resources without sharing passwords — using short-lived access tokens issued via defined flows for different client types.

CWE-287 OWASP A7:2021

4w ago security intermediate

Dependency & Supply Chain Security

Protecting applications from malicious or vulnerable third-party packages — covering transitive dependencies, lock files, SRI hashes, CVE scanning, and supply chain attack vectors.

CWE-1357 OWASP A6:2021

1mo ago security intermediate

Mixed Content (HTTP on HTTPS)

When an HTTPS page loads resources (images, scripts, stylesheets) over HTTP — browsers block active mixed content and warn on passive, undermining the security of the HTTPS connection.

1mo ago security intermediate

Authentication PHP 7.0+

The process of verifying that a user is who they claim to be — typically by validating credentials (password, token, certificate) and establishing a session or issuing a signed token for subsequent requests.

2mo ago security intermediate

Authorisation PHP 7.0+

The process of determining what an authenticated user is permitted to do — checking permissions, roles, or policies before allowing access to a resource or action.

2mo ago security intermediate

CORS — Cross-Origin Resource Sharing PHP 7.0+

A browser security mechanism that blocks JavaScript from making HTTP requests to a different origin — PHP APIs must send specific headers to allow cross-origin requests from permitted frontend origins.

2mo ago security intermediate

OWASP API Security Top 10

The OWASP API Security Top 10 lists the most critical API vulnerabilities — a separate list from the web application Top 10, covering risks specific to REST, GraphQL, and other API surfaces such as broken object-level authorisation and unrestricted resource consumption.

2mo ago security intermediate

Remote Code Execution (RCE)

A vulnerability allowing an attacker to run arbitrary code on the server — the most severe class of web vulnerability, typically achieved through eval(), unserialise(), file upload flaws, or OS command injection.

2mo ago security intermediate

Role-Based Access Control (RBAC)

An authorisation model where permissions are assigned to roles, and roles are assigned to users — checking 'can this role perform this action?' rather than 'can this specific user?'

2mo ago security intermediate

extract() Security Risk PHP 4.0+

extract() creates variables from an array in the current scope — using it on user input ($_POST, $_GET) allows attackers to overwrite any local variable.

2mo ago security intermediate

Object Cloning & Security Implications PHP 5.0+

clone creates a shallow copy — nested objects are still shared references. Implement __clone() for deep copy and audit what sensitive state gets duplicated.

2mo ago security intermediate

register_globals Risk & Legacy Code PHP 3.0+

register_globals automatically created PHP variables from GET/POST/COOKIE data — removed in PHP 5.4. Legacy code using it is critically vulnerable to variable injection.

2mo ago security intermediate

Safe Mode Removal & Modern Alternatives PHP 4.0+

PHP's safe_mode was removed in PHP 5.4 — it provided false security. Modern alternatives are open_basedir, OS-level permissions, and containers.

2mo ago security intermediate

API Key Lifecycle Management

Generating, distributing, rotating, and revoking API keys securely — covering scoping, expiry, audit logging, and emergency revocation procedures.

2mo ago security intermediate

Insecure Randomness PHP 7.0+

Using non-cryptographic random functions (rand(), mt_rand(), array_rand()) for security tokens — these are predictable and enable token forgery, session prediction, and CSRF bypass.

2mo ago security intermediate

MIME Sniffing & X-Content-Type-Options PHP 5.0+

Browsers that sniff file content to guess MIME type can execute uploaded HTML/JavaScript files as scripts — X-Content-Type-Options: nosniff prevents this.

2mo ago security intermediate

1 2 3 … 5 Next →

✓ schema.org compliant