Security Knowledge Base
Identify. Understand. Remediate.
Actionable guides for securing your modern web application.
Missing HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS) acts as a "security seatbelt," forcing browsers to refuse all ...
Missing Content Security Policy (CSP)
CSP is the "nuclear option" against Cross-Site Scripting (XSS). It tells the browser exactly which d...
Mixed Content (Insecure Resources)
Mixed Content occurs when an HTTPS page loads resources (images, scripts, styles) over insecure HTTP...
Unsafe Links (Reverse Tabnabbing)
Links that open in a new tab (`target="_blank"`) without `rel="noopener"` or `rel="noreferrer"` are ...
Missing Subresource Integrity (SRI)
SRI ensures that files you load from CDNs (like jQuery or Bootstrap) haven't been tampered with....
CORS Misconfiguration
Cross-Origin Resource Sharing (CORS) controls which domains can access your API resources via the br...
Missing Permissions-Policy
Formerly "Feature-Policy", this header allows you to enable or disable browser features and APIs (li...
Missing X-Frame-Options
Prevents your website from being embedded in an iframe on another site. This stops "Clickjacking" at...
Missing X-Content-Type-Options
Prevents the browser from "guessing" the file type (MIME sniffing) and forces it to trust the server...
Weak Referrer Policy
Controls how much data about "where the user came from" is sent to the next website they visit....
Server Information Leakage
Your server is shouting its exact version number to the world (e.g., "nginx/1.18.0")....
Insecure Cookies
Cookies missing `Secure`, `HttpOnly`, or `SameSite` flags can be stolen or abused....