Back to Hub

Security Glossary

A comprehensive dictionary of 50+ web security terms, explained for developers. Because understanding the threat is the first step to neutralising it.

XSS

Risk: High

Cross-Site Scripting

An attacker injects malicious client-side scripts into a webpage. When other users view the page, the script executes in their browser, allowing the attacker to steal cookies or perform phishing.

Like someone sticking a piece of transparent tape with 'automatic transfer' instructions behind a notice on a public bulletin board. Anyone who touches the notice might have their money transferred away.

CSRF

Risk: High

Cross-Site Request Forgery

Inducing an authenticated user to unknowingly send unintended requests to a trusted website by leveraging the user's active session credentials.

You're at a bank counter, and a stranger slips a 'transfer to me' form into your stack of papers. You sign it without looking closely, and the bank processes the transfer because the signature is yours.

SQL Injection

Risk: Critical

SQL Injection

Inserting malicious SQL statements into web form inputs or query strings to manipulate the back-end database query logic.

Writing 'John Doe; delete the finance table' in the name field of a form. If the system isn't protected, it might actually execute the command to wipe the table.

JWT

Risk: Medium

JSON Web Token

An open standard (RFC 7519) used for securely transmitting information between parties as a JSON object.

Like a theme park pass with an anti-counterfeit stamp. It lists your permissions, and staff only need to check the stamp to know you're authorized without checking a central database.

HSTS

Risk: Low

HTTP Strict Transport Security

A security mechanism that informs browsers via a response header to only interact with the site using HTTPS, prohibiting insecure HTTP connections.

A shop hangs a sign: 'Formal wear only.' Once the browser sees this, it will automatically change any http:// addresses you type to https:// for that store.

CSP

Risk: Low

Content Security Policy

An added layer of security that allows website administrators to declare which external resources (JS, CSS, images) are permitted to load and execute.

A hotel guest list: only the friends and family on your list are allowed into your room; anything brought in by strangers is confiscated at the door.

Salting

Risk: Low

Salting

Adding a unique random string to a plaintext password before hashing it to defend against rainbow table attacks.

Like a chef where every customer ordering the same dish (same password) gets a unique secret spice (salt), ensuring the final meal (hash value) looks different every time.

Pepper

Risk: Low

Pepper

Similar to salting, but a 'pepper' is usually a global secret stored in code or a hardware security module rather than the database.

After the salt, the chef adds a family secret sauce kept in a safe. Even if the recipe is stolen, the flavor can't be replicated without that secret ingredient.

IDOR

Risk: High

Insecure Direct Object Reference

A vulnerability where an application allows users to access unauthorized data by modifying identifiers (such as IDs) in a request.

You go to pick up a package and realize that if you change the pickup code from 001 to 002, you can take someone else's package because the clerk doesn't check your ID.

SSRF

Risk: High

Server-Side Request Forgery

A vulnerability where an attacker induces a server-side application to make requests to an arbitrary URL of the attacker's choosing.

Leaving a note for a restaurant manager: 'Could you ask the office next door for their safe combination?' The manager asks, using their trusted status to go where you aren't allowed.

CORS

Risk: Medium

Cross-Origin Resource Sharing

A mechanism that uses HTTP headers to tell browsers to give a web application running at one origin access to selected resources from a different origin.

'Hey, I'm from Company A. I'd like to use Company B's copier—did your boss approve this access?'

Path Traversal

Risk: High

Path Traversal

Exploiting insufficient input validation to access files and directories outside the web root folder using characters like '../'.

The URL says 'view/photo.jpg', but you change it to 'view/../../etc/passwd' and end up seeing the system's sensitive password files.

Clickjacking

Risk: Medium

Clickjacking

Using transparent layers or iframes to overlay a webpage, tricking users into clicking hidden buttons or links.

A 'Claim Prize' button has a transparent 'Delete Account' button layered over it. You think you're getting a gift, but you're actually deleting your profile.

SameSite Cookie

Risk: Low

SameSite Attribute

A cookie attribute used to control whether cookies are sent with cross-site requests, primarily to mitigate CSRF.

A bank card rule: 'This card is only valid if presented at the bank's official counter. If you followed a link from a suspicious site, I won't accept it.'

HttpOnly Cookie

Risk: Low

HttpOnly Attribute

An attribute that prevents client-side scripts (like JavaScript) from accessing cookies, mitigating session theft via XSS.

Putting a cookie in a bulletproof glass case. You can carry it to show you're logged in, but you can't touch it directly, and neither can any malicious scripts.

Secure Cookie

Risk: Low

Secure Attribute

A cookie attribute that ensures the cookie is only transmitted over encrypted HTTPS connections.

An armored truck that is only allowed to drive on secure, guarded highways, never on ordinary dirt roads.

Rate Limiting

Risk: Medium

Rate Limiting

Restricting the number of requests a user or IP address can make within a specific timeframe.

At a bank counter, one person is only allowed to withdraw money three times per minute. If they try more, they're asked to wait in the lounge.

Brute Force

Risk: High

Brute Force Attack

An attempt to gain access by systematically trying all possible combinations of passwords or codes.

Holding a massive ring of keys and trying every single one until the lock finally opens.

Credential Stuffing

Risk: High

Credential Stuffing

A type of attack where stolen account credentials from one platform are used to gain unauthorized access to other systems.

A thief steals your keys to Apartment A and tries them at Apartment B, knowing many people use the same locks for both.

Session Hijacking

Risk: High

Session Hijacking

An attack where the attacker gains unauthorized access to information or services by stealing or predicting a valid Session ID.

Slipping into your chair and taking over your computer while it's still logged in and you've stepped away.

Session Fixation

Risk: Medium

Session Fixation

An attack where the attacker provides a valid Session ID to a victim and induces them to log in with it, thereby gaining control over the session.

A thief leaves their own key in a locker and tricks you into using that specific locker. Once you've stored your valuables, they use their spare key to open it.

OAuth 2.0

Risk: Medium

Authorization Framework

An authorization protocol that allows third-party applications to obtain limited access to user resources on another service without sharing the password.

The hotel front desk doesn't give you the master key (password) but gives you a keycard (token) that only opens your specific room and expires when you check out.

OIDC

Risk: Medium

OpenID Connect

An identity layer built on top of the OAuth 2.0 protocol used to verify the identity of the end-user.

Your hotel keycard (OAuth) not only opens the door but also displays your name and ID on a screen when you swipe it.

RBAC

Risk: Low

Role-Based Access Control

A method of regulating access to resources based on the roles of individual users within an organization.

If you're a 'Manager,' you can see the financial reports. It doesn't matter if your name is John or Jane.

ABAC

Risk: Low

Attribute-Based Access Control

An authorization model that provides access based on attributes of the user, the resource, and the environment.

Even if you're a manager, you must be in the 'Company Office' during 'Work Hours' to view the reports.

MFA/2FA

Risk: Low

Multi-Factor Authentication

A security process that requires users to provide two or more different factors to verify their identity.

To enter the vault, you need both a physical key (something you have) and a fingerprint scan (something you are).

Hashing

Risk: Medium

Hashing

A one-way function that converts input of any length into a fixed-length output string, which is irreversible.

Putting a cow through a meat grinder to make sausages. You can't look at the sausage and know what the cow looked like, and you certainly can't turn the sausage back into a cow.

Rainbow Table

Risk: High

Rainbow Table

A precomputed table for reversing cryptographic hash functions, usually for cracking password hashes.

A thief has a 'Sausage-to-Cow Reference Book.' They see your sausage and look it up to find exactly which cow it came from.

AES

Risk: Low

Advanced Encryption Standard

A symmetric encryption algorithm standard where the same key is used for both encryption and decryption.

A locked box you send to a friend. Your friend must have an identical key to yours to unlock it.

RSA

Risk: Low

Asymmetric Encryption Algorithm

An asymmetric encryption algorithm that uses a public key for encryption and a private key for decryption.

You distribute 'locks that only close' (public keys) to the world. People put messages in boxes and lock them. Only your personal key (private key) can open them.

TLS

Risk: Low

Transport Layer Security

A protocol that provides authentication and data encryption between different endpoints.

Communication parties create an invisible, anti-eavesdropping armored pipeline before talking.

SRI

Risk: Low

Subresource Integrity

A security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation.

Ordering takeout online where the merchant puts a one-time seal on the bag. If you find the seal broken upon delivery, you refuse the order.

X-Frame-Options

Risk: Low

X-Frame-Options Header

An HTTP response header used to indicate whether a browser should be allowed to render a page in a frame, iframe, or object.

'Do not allow my website content to be nested in someone else's small box to prevent UI redressing attacks like clickjacking.'

X-Content-Type-Options

Risk: Low

X-Content-Type-Options Header

A header used by the server to prevent the browser from 'guessing' the MIME type of a file (MIME sniffing).

If I say this is a picture, you treat it as a picture. Do not try to execute it as a script behind my back!

WAF

Risk: Low

Web Application Firewall

A firewall that monitors and filters HTTP traffic between a web application and the internet to protect against attacks like SQLi and XSS.

A security guard at a restaurant entrance specifically checking if guests are carrying hazardous materials or contraband.

IDS/IPS

Risk: Low

Intrusion Detection/Prevention System

IDS monitors network traffic for suspicious activity; IPS blocks suspicious activity when it is discovered.

IDS is a security camera and a guard who yells when they see a thief; IPS is an automated system that locks the doors immediately.

Captcha

Risk: Low

CAPTCHA

A type of challenge-response test used in computing to determine whether or not the user is human.

'Prove you're not a robot by finding all the traffic lights in these photos.'

Zero Trust

Risk: Low

Zero Trust Architecture

A security framework requiring all users to be authenticated, authorized, and continuously validated before being granted access to data.

Even if you're inside the company building, you must swipe your card to enter the office, the restroom, and the breakroom.

Least Privilege

Risk: Low

Principle of Least Privilege

The concept that a user or program should only have access to the specific data and resources needed to complete a task.

If I come to fix your AC, you only give me the key to the AC room, not the keys to your entire house and safe.

Defense in Depth

Risk: Low

Defense in Depth

An information security strategy that uses multiple layers of security controls throughout an IT system.

Protecting a vault: first a perimeter wall, then cameras, then a thick vault door, and finally individual safety deposit boxes.

Attack Surface

Risk: High

Attack Surface

The sum total of all possible entry points and vulnerabilities in a system that an attacker can exploit.

The more windows and doors your house has, the more opportunities a burglar has to break in.

Penetration Testing

Risk: Medium

Penetration Testing

A simulated cyberattack against your computer system to check for exploitable vulnerabilities.

Hiring a professional thief to try and break into your house so you can find out exactly how they got in and fix it.

Vulnerability Scan

Risk: Low

Vulnerability Scanning

An automated process to identify security vulnerabilities in a system or network.

Using a 'common damage checklist' to walk around your house and see if any windows are unlocked or if any locks are broken.

SAST

Risk: Low

Static Application Security Testing

Scanning and analyzing source code for security vulnerabilities without executing the code.

Checking the blueprints before building a skyscraper to ensure the support beams are thick enough and the wiring won't short-circuit.

DAST

Risk: Medium

Dynamic Application Security Testing

Testing an application in its running state to find security vulnerabilities through external inputs.

Once the building is finished, kicking the front door and messing with the elevator buttons to see if anything breaks.

SCA

Risk: Medium

Software Composition Analysis

Analyzing third-party open-source libraries used in a project for known security vulnerabilities.

Checking the glue and paint you bought for a renovation to ensure they aren't toxic or low-quality.

CVE

Risk: Medium

Common Vulnerabilities and Exposures

A list of publicly disclosed cybersecurity vulnerabilities, each assigned a unique identification number.

A police 'Wanted Poster' number; when CVE-2021-44228 is mentioned, everyone knows it's the famous Log4j vulnerability.

Zero-Day

Risk: Critical

Zero-Day Vulnerability

A vulnerability in software that is unknown to the vendor and has no patch available.

A brand-new virus that doctors haven't seen yet, and for which there is no vaccine or cure.

Open Redirect

Risk: Medium

Open Redirect

When an application redirects a user to an external, potentially malicious website specified in a URL parameter.

You think you're clicking 'Enter Official Site,' but the page takes you to a phishing site that looks identical.

Command Injection

Risk: Critical

Command Injection

When an attacker executes arbitrary system commands on the host operating system via a vulnerable application.

The system asks 'Which file to backup?' and you answer 'photo.jpg && shutdown,' causing the system to actually turn off the server.