Browse by Category

+ added · ✎ updated 7d

⚖ Terms of Use

Security terms

20 terms of 1444 total

🔒 Defending code from the threats that never sleep

Security vulnerabilities do not announce themselves — they wait quietly in code that looks perfectly fine on the surface. This category covers attack vectors, defensive techniques, secure coding practices, and the mental models that help you think like an attacker before one finds you. From SQL injection and XSS to authentication flaws and cryptographic pitfalls, understanding these terms is not optional — it is professional responsibility.

Sort A → Z Recently Added Recently Updated Difficulty Most Viewed Most Rated Most Shared

Level All Beginner Intermediate Advanced

✕ Clear A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Client-Side Template Injection (CSTI)

Attacker-controlled input rendered as a template expression by a client-side framework (AngularJS, Vue, Handlebars), executing JavaScript in the victim's browser.

CWE-1336 OWASP A3:2021

1w ago security advanced 7.5

CSS Injection & Data Exfiltration via Stylesheets

Attacker-controlled CSS injected into a page or stylesheet that exfiltrates data via attribute selectors and `url()` callbacks, defaces UI, or enables phishing — all without a single line of JavaScript.

CWE-79 OWASP A3:2021

1w ago security advanced 6.5

CORS — Cross-Origin Resource Sharing PHP 7.0+

A browser security mechanism that blocks JavaScript from making HTTP requests to a different origin — PHP APIs must send specific headers to allow cross-origin requests from permitted frontend origins.

2mo ago security intermediate

Cache-Timing Side-Channel Attacks PHP 5.6+

Attacks that infer secret information from response time differences — cached responses arrive faster than uncached ones, leaking whether a resource exists or a secret was correct.

2mo ago security advanced

Cookie Security Attributes PHP 7.3+

Modern cookie prefixes (__Host-, __Secure-) and the Partitioned attribute enforce strict security properties that cannot be overridden by JavaScript or subdomains.

2mo ago security advanced

Cache Poisoning PHP 5.0+

An attacker manipulates a cached response so that subsequent users receive malicious content served from the cache.

CWE-346 OWASP A4:2021

2mo ago security advanced 8.1

Certificate Pinning

Hardcoding expected TLS certificate or public-key fingerprints in a client to prevent MITM even when a rogue CA issues a valid cert.

CWE-295 OWASP A7:2021

2mo ago security advanced

Clickjacking PHP 5.0+

A malicious page overlays an invisible iframe over your site, tricking users into clicking UI elements they cannot see.

CWE-1021 OWASP A4:2021

2mo ago security intermediate 6.5

Clickjacking & CSP frame-ancestors PHP 5.0+

Tricking users into clicking hidden UI elements by overlaying a transparent iframe — prevented by CSP frame-ancestors or the X-Frame-Options header.

CWE-1021 OWASP A4:2021

2mo ago security intermediate 6.1

Diagram: Command Injection

Command Injection PHP 5.0+

User input passed to a shell function (exec, system, shell_exec) allows arbitrary OS command execution.

CWE-78 OWASP A3:2021

2mo ago security intermediate 9.8

Diagram: Content Security Policy (CSP)

Content Security Policy (CSP) PHP 5.0+

An HTTP response header that restricts which scripts, styles, and resources the browser is allowed to load.

2mo ago security intermediate

CORS Misconfiguration PHP 5.0+

Overly permissive Cross-Origin Resource Sharing headers allow malicious sites to read sensitive API responses.

CWE-942 OWASP A5:2021

2mo ago security intermediate 7.5

Credential Stuffing PHP 5.0+

Automated injection of username/password pairs from previous data breaches to gain access to accounts where users reused credentials.

CWE-307 OWASP A7:2021

2mo ago security intermediate 8.1

CRLF Injection PHP 5.0+

Injecting carriage-return and line-feed characters into HTTP headers splits responses or injects new headers, enabling log poisoning and XSS.

CWE-93 OWASP A3:2021

2mo ago security intermediate 6.1

CSPRNG PHP 7.0+

Cryptographically Secure Pseudo-Random Number Generator — produces unpredictable values suitable for security tokens.

2mo ago security intermediate

CSRF Double Submit Cookie Pattern PHP 5.0+

A stateless CSRF defence that sets a random cookie and requires it to also appear as a request parameter, relying on the Same-Origin Policy to prevent forgery.

CWE-352 OWASP A1:2021

2mo ago security advanced

Common Vulnerability Scoring System — a 0–10 numeric score representing the severity of a security vulnerability.

2mo ago security beginner

Common Weakness Enumeration — a community-maintained list of software weakness types with unique numeric IDs.

2mo ago security beginner

Diagram: Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) PHP 5.0+

A forged request tricks an authenticated user's browser into performing an unintended action on a site they're logged into.

CWE-352 OWASP A1:2021

2mo ago security intermediate 6.5

Diagram: Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) PHP 5.0+

User-supplied content rendered in the browser without escaping, allowing script injection into other users' sessions.

CWE-79 OWASP A3:2021

2mo ago security intermediate 6.1

✓ schema.org compliant