# JustAppSec > Application security research, CVE intelligence, guides, and training. > Practical security content for people who build software. - Website: https://justappsec.com - Full content: https://justappsec.com/llms-full.txt - RSS feed: https://justappsec.com/news/feed - Sitemap: https://justappsec.com/sitemap.xml ## Research In-depth, evergreen articles covering vulnerability classes, attack techniques, and defensive practices. - [Authentication](https://justappsec.com/research/authentication): A threat-focused guide to authentication, covering attack paths, design pitfalls, and concrete defenses from password storage to MFA, sessions, and recovery. - [Business Logic Abuse](https://justappsec.com/research/business-logic-abuse): Covers how attackers exploit intended workflows and business rules to gain unfair advantage or bypass controls. Includes threat modeling ideas, common abuse patterns, and defensive validation strategies. - [Command Injection](https://justappsec.com/research/command-injection): Explains how untrusted input reaches OS command execution paths and enables remote command execution. Covers common vectors, impact, and safe invocation patterns. - [Cross-Origin Resource Sharing (CORS)](https://justappsec.com/research/cross-origin-resource-sharing): Describes how CORS works and how misconfigurations expose cross origin data to attackers. Provides threat models and practical policy hardening guidance. - [Cross-Site Request Forgery (CSRF)](https://justappsec.com/research/cross-site-request-forgery): Explains how CSRF abuses a victim's authenticated browser to perform unintended actions. Covers common delivery methods and layered defenses like tokens, SameSite, and origin checks. - [Cross-Site Scripting (XSS)](https://justappsec.com/research/cross-site-scripting): Covers reflected, stored, and DOM based XSS risks and why they remain high impact. Provides prevention guidance including contextual encoding, safe APIs, and CSP. - [File Upload Security](https://justappsec.com/research/file-upload-security): Details how unsafe uploads lead to malware, code execution, and data exposure across systems. Provides validation, storage isolation, scanning, and hardening controls. - [Insecure Direct Object References (IDOR)](https://justappsec.com/research/insecure-direct-object-references): Explains object level authorization failures that let users access or modify other users' data. Covers attack patterns and robust authorization checks. - [JSON Web Tokens (JWT)](https://justappsec.com/research/json-web-tokens): Explains JWT structure, threat models, and common validation pitfalls. Includes secure usage practices for signing, claims validation, and token storage. - [Mass Assignment](https://justappsec.com/research/mass-assignment): Describes how automatic model binding can let attackers set sensitive fields. Provides safe binding patterns, DTO usage, and allowlist controls. - [Password Storage](https://justappsec.com/research/password-storage): Explains why passwords must be hashed with salts and slow KDFs to resist offline cracking. Covers algorithm choices, peppers, and operational best practices. - [Path Traversal](https://justappsec.com/research/path-traversal): Explains how directory traversal lets attackers read or write files outside intended scopes. Covers normalization, allowlisting, and filesystem hardening. - [Prompt Injection](https://justappsec.com/research/prompt-injection): Covers how adversarial prompts can subvert LLM behavior or trigger unintended actions. Provides defense in depth guidance for prompt design, input handling, and output validation. - [Prototype Pollution](https://justappsec.com/research/prototype-pollution): Explains how unsafe object merging can taint prototypes and alter application logic. Covers common vectors and mitigations like key filtering and safe object creation. - [Row-Level Security Patterns for Postgres](https://justappsec.com/research/row-level-security-patterns-for-postgres): Explains how PostgreSQL RLS enforces tenant and user isolation at the data layer. Covers policy design, session context patterns, and common pitfalls. - [Secure Software Development Lifecycle](https://justappsec.com/research/secure-software-development-lifecycle): Outlines how to embed security into planning, design, implementation, and deployment. Covers threat modeling, risk assessment, and secure-by-design practices. - [Server-Side Request Forgery (SSRF)](https://justappsec.com/research/server-side-request-forgery): Explains how untrusted URLs can make servers reach internal or cloud metadata endpoints. Covers validation, allowlisting, and network egress controls. - [Session Management](https://justappsec.com/research/session-management): Explains session token lifecycle risks such as hijacking and fixation. Covers secure cookie settings, rotation, and timeout strategies. - [SQL Injection](https://justappsec.com/research/sql-injection): Covers how unsafe query construction enables data theft and database compromise. Provides parameterization and least privilege guidance. - [Template Injection](https://justappsec.com/research/template-injection): Explains how untrusted input can be executed by template engines on server or client. Covers safe templating patterns, sandboxing, and encoding. - [Threat Modeling](https://justappsec.com/research/threat-modeling): Describes structured methods to identify threats early using models like STRIDE and attack trees. Covers risk rating and mitigation planning. ## Guides Practical how-to guides for securing applications, frameworks, and infrastructure. - [Communicating AppSec Risk to Leadership](https://justappsec.com/guides/communicating-appsec-risk-to-leadership): How to translate security findings into business language that boards, executives, and CISOs can act on. - [Cyber Essentials for Development Teams](https://justappsec.com/guides/cyber-essentials-for-development-teams): What the UK Cyber Essentials controls mean in practice for developers, CI/CD pipelines, and modern software delivery. - [Supply Chain Security Fundamentals](https://justappsec.com/guides/supply-chain-security-fundamentals): SBOMs, dependency verification, supplier assessment, and provenance for development teams. - [API Key Security Best Practices](https://justappsec.com/guides/api-key-security-best-practices): Storage, rotation, scoping, and abuse prevention. - [How to Secure Next.js](https://justappsec.com/guides/how-to-secure-nextjs): Practical hardening checklist: auth, headers, CSP, SSRF, and deployment. - [JWT Security Best Practices](https://justappsec.com/guides/jwt-security-best-practices): What to validate, rotate, and avoid in real systems. - [LLM Tool-Calling Security](https://justappsec.com/guides/llm-tool-calling-security): Allowlists, validation, and least-privilege execution. - [mTLS vs JWT vs OAuth for Service Auth](https://justappsec.com/guides/mtls-vs-jwt-vs-oauth-for-service-auth): A clear comparison with deployment tradeoffs. - [Next.js CSP Configuration](https://justappsec.com/guides/nextjs-csp-configuration): Safe CSP defaults and how to avoid breaking your app. - [Next.js Security Checklist](https://justappsec.com/guides/nextjs-security-checklist): A pre-launch checklist for production Next.js apps. - [Next.js SSRF Protection](https://justappsec.com/guides/nextjs-ssrf-protection): Common SSRF paths in Next.js and how to block them. - [OAuth 2.0 Security Best Practices](https://justappsec.com/guides/oauth-2-security-best-practices): Common pitfalls in PKCE, tokens, and redirect handling. - [Prompt Injection Prevention](https://justappsec.com/guides/prompt-injection-prevention): Practical guardrails for LLM features and tools. - [Rate Limiting in Node.js](https://justappsec.com/guides/rate-limiting-in-nodejs): Patterns for APIs, login endpoints, and abuse control. - [Secrets Management in GitHub Actions](https://justappsec.com/guides/secrets-management-in-github-actions): Prevent leaks, restrict scopes, and rotate safely. - [Secure File Uploads in Node.js](https://justappsec.com/guides/secure-file-uploads-in-nodejs): Validation, scanning, storage isolation, and safe serving patterns. - [Secure Password Storage (bcrypt vs Argon2)](https://justappsec.com/guides/secure-password-storage-bcrypt-vs-argon2): Which to choose, how to configure, and what to avoid. - [Secure Session Management](https://justappsec.com/guides/secure-session-management): Cookies vs tokens, rotation, and logout correctness. - [Secure Webhook Verification](https://justappsec.com/guides/secure-webhook-verification): Signature validation, replay protection, and idempotency. - [Securing RAG Pipelines](https://justappsec.com/guides/securing-rag-pipelines): Prevent data exfiltration and prompt hijacking. - [Service-to-Service Authentication Best Practices](https://justappsec.com/guides/service-to-service-authentication-best-practices): When to use mTLS, JWT, or OAuth between services. - [SQL Injection Prevention with Prisma](https://justappsec.com/guides/sql-injection-prevention-with-prisma): Safe patterns for raw queries and dynamic filters. - [Webhook Replay Attack Protection](https://justappsec.com/guides/webhook-replay-attack-protection): Time windows, nonces, and storage strategies. ## Training Structured lessons for developers learning application security. - [Thinking Like an Attacker](https://justappsec.com/training/thinking-like-an-attacker): Switching perspectives — how attackers find weaknesses and what that means for your code. - [Code Review for Security](https://justappsec.com/training/code-review-for-security): What to look for, how to triage, and building a security-aware review culture. - [Web Application Testing](https://justappsec.com/training/web-application-testing): Hands-on techniques for finding vulnerabilities in web applications. - [API Security Testing](https://justappsec.com/training/api-security-testing): Testing REST, GraphQL, and gRPC endpoints for common and subtle flaws. - [Bug Bounty and Responsible Disclosure](https://justappsec.com/training/bug-bounty-and-responsible-disclosure): Finding bugs ethically, writing clear reports, and working with security teams. - [Red Team Basics for Builders](https://justappsec.com/training/red-team-basics-for-builders): Offensive thinking applied to your own systems — before someone else does. - [Secure Defaults in Modern Frameworks](https://justappsec.com/training/secure-defaults-in-modern-frameworks): How Rails, Next.js, Django, and Spring protect you — and where they don't. - [API Design That Defends Itself](https://justappsec.com/training/api-design-that-defends-itself): REST, GraphQL, and gRPC patterns that reduce your attack surface by design. - [Data Protection and Encryption](https://justappsec.com/training/data-protection-and-encryption): Encryption at rest, in transit, and the practical choices developers actually make. - [Secrets Management](https://justappsec.com/training/secrets-management): Vaults, environment variables, rotation — keeping credentials out of code. - [Microservice and Serverless Boundaries](https://justappsec.com/training/microservice-and-serverless-boundaries): Service-to-service auth, zero trust, and the security implications of decomposition. - [AI Integration Security](https://justappsec.com/training/ai-integration-security): Prompt injection, model poisoning, and securing LLM-powered features. - [Injection Today](https://justappsec.com/training/injection-today): SQL, NoSQL, ORM, and LLM injection — what's changed and what hasn't. - [XSS in React, Vue and Server Components](https://justappsec.com/training/xss-in-modern-frameworks): Cross-site scripting in modern component frameworks and how to prevent it. - [Authentication Patterns](https://justappsec.com/training/authentication-patterns): OAuth 2.1, passkeys, WebAuthn, and JWTs — modern identity for modern apps. - [Authorisation and Access Control](https://justappsec.com/training/authorisation-and-access-control): RBAC, ABAC, and privilege escalation patterns in real applications. - [Session Management](https://justappsec.com/training/session-management): Tokens, cookies, and state — keeping sessions secure in stateless architectures. - [Secure File Handling](https://justappsec.com/training/secure-file-handling): Uploads, storage, and serving files without opening the door to attackers. - [Input Validation and Schema Enforcement](https://justappsec.com/training/input-validation-and-schema-enforcement): Validate early, validate strictly — schemas, allowlists, and type-safe boundaries. - [SSRF and Request Forgery](https://justappsec.com/training/ssrf-and-request-forgery): When your server makes requests on behalf of an attacker. - [Logging and Detection Engineering](https://justappsec.com/training/logging-and-detection-engineering): Writing logs that actually help you find attackers — structured, contextual, actionable. - [Monitoring and Alerting for Security Events](https://justappsec.com/training/monitoring-and-alerting-for-security-events): From noise to signal — building alerts that surface real threats. - [Incident Response for Teams That Ship Daily](https://justappsec.com/training/incident-response-for-teams-that-ship-daily): Playbooks, communication, and containment for fast-moving engineering teams. - [Vulnerability Management](https://justappsec.com/training/vulnerability-management): Triage, prioritisation, SLAs, and not drowning in CVEs. - [WAF, CDN and Edge Security](https://justappsec.com/training/waf-cdn-and-edge-security): Rate limiting, bot mitigation, and the security controls at the perimeter. - [Compliance as Code](https://justappsec.com/training/compliance-as-code): Turning SOC 2, ISO 27001, and PCI DSS controls into automated, testable guardrails. - [CI/CD Pipeline Security](https://justappsec.com/training/cicd-pipeline-security): Securing the path from commit to production — runners, permissions, and gates. - [Dependency and Supply Chain Management](https://justappsec.com/training/dependency-and-supply-chain-management): SBOMs, lock files, and surviving the next big supply chain attack. - [Container and Image Security](https://justappsec.com/training/container-and-image-security): Building minimal, signed, scannable images that run safely in production. - [Infrastructure as Code](https://justappsec.com/training/infrastructure-as-code): Terraform, Pulumi, CloudFormation — and the security foot-guns in declarative infra. - [Secrets in Pipelines](https://justappsec.com/training/secrets-in-pipelines): Keeping tokens, keys, and credentials safe throughout CI/CD workflows. - [Artifact Signing and Provenance](https://justappsec.com/training/artifact-signing-and-provenance): Sigstore, SLSA, and proving your software is what you say it is. - [Security Mindset for Developers](https://justappsec.com/training/security-mindset-for-developers): How to think about security as a builder, not just a defender. - [Threat Modelling Without the Ceremony](https://justappsec.com/training/threat-modelling-without-the-ceremony): Practical threat modelling that fits into the way teams actually work. - [Attack Surface of a Modern Web App](https://justappsec.com/training/attack-surface-of-a-modern-web-app): Mapping every entry point in a typical Next.js, Vue, or Django application. - [Trust Boundaries and Data Flow](https://justappsec.com/training/trust-boundaries-and-data-flow): Where data crosses a trust boundary, security decisions need to happen. - [Bridging Dev and Security Teams](https://justappsec.com/training/bridging-dev-and-security-teams): How developers and security professionals can work together without friction. ## News Daily application security news covering vulnerabilities, CVEs, supply-chain threats, and AI security. - [News listing](https://justappsec.com/news) - [RSS feed](https://justappsec.com/news/feed)