Articles & Guides
Useful resources for web developers and system administrators
SEC
SQL Injection Prevention: Prepared Statements and ORM
SQL injection types, prepared statements, PDO, ORM safety, least privilege DB users, WAF. Examples in PHP, Node.js, Python.
SEC
WAF (Web Application Firewall): A Practical Guide
Web Application Firewall basics: mod_security, cloud WAFs (Cloudflare, AWS), OWASP CRS, when you need one, and avoiding false positives.
SEC
Subresource Integrity (SRI): Protecting CDN Scripts
Subresource Integrity (SRI) — integrity attribute for <script> and <link>. CDN compromise protection, hash generation, CSP require-sri-for.
SEC
API Rate Limiting: Token Bucket, 429, Retry-After
API rate limiting: token bucket vs sliding window, HTTP 429, Retry-After. Implementation on Redis, nginx, Express, NestJS.
SEC
Cookie Security: HttpOnly, Secure, SameSite, __Host-
Cookie security flags: HttpOnly, Secure, SameSite (Strict/Lax/None), __Host- prefix, Max-Age vs Expires. PHP, Express, nginx examples.
SEC
HTTP to HTTPS Migration: Redirects, Mixed Content, HSTS
HTTP to HTTPS migration guide: certificate, 301 redirect, fixing mixed content, HSTS, canonical URLs, SEO without traffic loss.
SEC
Prevent XSS Attacks: Escaping, CSP and Trusted Types
XSS types — stored, reflected, DOM-based — and how to stop them with context-aware escaping, CSP, Trusted Types, and HttpOnly cookies.
SEC
Clickjacking Prevention: X-Frame-Options vs frame-ancestors
Clickjacking attacks explained: X-Frame-Options, CSP frame-ancestors, SameSite cookies, JS frame-busting. nginx setup and verification.
SEC
CORS: Complete Guide to Access-Control-Allow
CORS, preflight OPTIONS, Access-Control-Allow-Origin, credentials, common errors. nginx/Express/NestJS setup and curl debugging.
SEC
CSP (Content Security Policy): Setup Guide
Content Security Policy setup: directives, nonce, strict-dynamic, report-uri. Ready nginx and Next.js examples plus debugging and common mistakes.