Security: Complete Guide — Scanner, CSP, OWASP

Enterno.io Editorial Team

Glossary (17) all →

Prompt Injection — Attack on LLM

Prompt injection: hijacking an LLM via malicious instructions in input. Direct vs indirect. Defences: guardrails, sanitisation.

Refresh Token — What It Is

Refresh token — long-lived token for obtaining new access_tokens. Storage, rotation, revocation.

Webhook Signing — HMAC Signature

Webhook signing — HMAC signature of payload defending against forgery. Stripe, GitHub, Telegram patterns.

JWK — JSON Web Key

JWK (JSON Web Key, RFC 7517) — JSON representation of cryptographic keys. JWKS, key rotation, OAuth 2.0.

PKCE — Proof Key for Code Exchange

PKCE (RFC 7636) is an OAuth 2.0 extension protecting the authorization code flow in public clients (SPA, mobile).

WebAuthn / Passkeys — Passwordless Authentication

WebAuthn (Passkeys) — W3C standard for passwordless authentication via biometrics or security keys. FIDO2.

Zero Trust — What It Is and How It Works in 2026

Zero Trust is a security model: never trust by default. Difference from classic perimeter, tooling, BeyondCorp standard.

OAuth 2.0 — What It Is, Flow Types, vs JWT

OAuth 2.0 is a delegated authorization protocol. Authorization Code, Client Credentials, Device, PKCE flows. Difference from OpenID Connect.

XSS — What It Is and How It Works [2026]

XSS — definition, examples, applications. Online check free.

Rate limiting — What It Is and How It Works [2026]

Rate limiting — definition, examples, applications. Online check free.

503 Service Unavailable — What It Is and How It Works [2026]

503 Service Unavailable — definition, examples, applications. Online check free.

DDoS attack — What It Is and How It Works [2026]

DDoS attack — definition, examples, applications. Online check free.

CSRF — What It Is and How It Works [2026]

CSRF — definition, examples, applications. Online check free.

HSTS Preload List — Submission Guide [2026]

HSTS Preload — clear explanation, how to configure, common mistakes. Online check free.

SRI (Subresource Integrity) — Supply-Chain Protection [2026]

SRI (Subresource Integrity) — clear explanation, how to configure, common mistakes. Online check free.

WAF (Web Application Firewall) Explained [2026]

WAF (Web Application Firewall) — how it works, popular solutions, OWASP CRS. Check site security online.

HSTS Explained — How to Configure [2026]

HSTS (HTTP Strict Transport Security) — what it is, why it matters, how to configure correctly and submit to the preload list. Check HSTS o…

How-to (16) all →

Configure Rate Limiting in nginx

Nginx rate limiting: limit_req_zone, burst, nodelay, 429 responses, fail2ban integration.

Configure Ingress in Kubernetes

Ingress in Kubernetes: nginx-ingress-controller, TLS via cert-manager, path/host-based routing, rate-limit annotations.

How to Audit npm Supply Chain

npm audit + Socket.dev + Snyk + Dependabot: detecting malicious packages, typosquatting, postinstall scripts. Runtime protection.

How to Sign Docker Images with Cosign

Cosign (Sigstore): keyless cryptographic signing of Docker images. CI/CD integration, SLSA compliance, supply chain security.

How to Set Up Snyk Security Scanning

Snyk for npm/Python/Docker: CI/CD integration, SARIF uploads, vulnerability database. Fail build on high CVE.

How to Rotate Production Secrets — 2026

Secret rotation: AWS Secrets Manager, HashiCorp Vault, GitHub secret scanning. API keys, DB passwords, JWT secrets — how, when, automation.

How to Prevent Prompt Injection in LLM — 2026

Prompt injection is OWASP #1 for LLM. Guardrails, structured output, Lakera, Rebuff, NeMo. Best practices.

How to Secure AI API Keys — 2026

Best practices for OpenAI/Anthropic/Google keys. Backend proxy, rate limit, budget alerts, key rotation.

How to Secure API Keys — 2026

Secure API key handling: storage, rotation, leak detection, .env, Vault, environment vars. Git secrets scanning.

How to Enable CSRF Protection — 2026

CSRF protection: synchronizer tokens, Double-Submit Cookie, SameSite cookie. PHP, Django, Express examples.

How to Set Up HashiCorp Vault for Secrets

Step-by-step Vault install: dev mode, production init, auth methods, KV store, K8s integration.

How to Block a Country in nginx — 2026

nginx GeoIP country blocking: MaxMind GeoLite2, ngx_http_geoip2_module, allow/deny list. How to bypass for admin.

How to Harden an SSH Server — 2026

Step-by-step SSH hardening: keys instead of password, fail2ban, port change, AllowUsers. Step-by-step guide.

How to Set Up an OAuth 2.0 Provider — 2026

Step-by-step OAuth 2.0 provider setup for "Login with X". Google, GitHub, VK, Yandex. Authorization Code flow + PKCE.

How to Set Up Fail2Ban — Brute-Force Defence 2026

Step-by-step Fail2Ban setup: jails for SSH, nginx, login bruteforce. Filter, ban action, alerting.

How to Enable HSTS on Your Site (nginx/Apache) [2026]

Step-by-step HSTS setup: max-age, includeSubDomains, preload. How to submit to HSTS Preload List.

Alternatives (3) all →

Sentry Alternatives 2026 — Error Tracking

Sentry is the error-tracking standard. Alternatives: Enterno.io, GlitchTip (open-source Sentry), Rollbar, Bugsnag, Datadog.

Mozilla Observatory Alternatives 2026 — Enterno, Hardenize

Mozilla Observatory is open-source security grading. Alternatives with continuous monitoring and API: Enterno.io, SecurityHeaders.com, Hard…

SecurityHeaders.com Alternatives 2026 — Enterno, Mozilla

SecurityHeaders.com (Scott Helme) grades A-F for HTTP headers. Broader-scope alternatives: Enterno, Mozilla Observatory, Hardenize.

Other pages (1)

Security Headers Check — Free Online | Enterno.io

Free security headers analysis: HSTS, CSP, X-Frame-Options, CORS. Get security score and recommendations.