Jun 4 · 16 min read · I kept seeing the same advice. "Sanitize your inputs." "Set HttpOnly." "Add a CSRF token." I knew these mattered. I even knew how to apply them. But I couldn't have told you what I was actually defend
RRichard commentedMay 22 · 10 min read · The first time a pen tester filed a CSRF finding against a portal I owned, my reaction was the same as everyone else's: "We're SameSite=Lax. Aren't we fine?" We weren't fine. And the fix wasn't the fr
Join discussionMar 29 · 14 min read · How to Secure an API: The 4-Layer Framework That Works APIs are the backbone of every modern app. They are also the most common entry point for attackers. Most developers bolt security on as an afterthought: one middleware, one config flag, one if us...
Join discussion
Feb 15 · 2 min read · You can have the cleanest React code, the fastest API, and the most beautiful UI. But if I can inject a script into your search bar that steals your users' session cookies, your startup is dead. Security is not an "add-on." It is a fundamental requi...
Join discussion
Feb 12 · 10 min read · Why Traditional CSRF Protection Fails in Modern Architectures Classic CSRF protection relied heavily on server-side session storage, where a synchronizer token was generated per session and validated against session state. This approach worked well f...
Join discussionJan 26 · 4 min read · Cross-Site Request Forgery (CSRF) is an attack where a malicious website tricks an authenticated user into performing an unwanted action on a trusted site where the user is currently logged in. Because browsers automatically send cookies (including s...
Join discussionJan 8 · 3 min read · The Problem Imagine you're logged into bank.com. While browsing the web, you visit evil.com which contains this innocent-looking link: Win a Free iPhone! 🎁 When you click, your browser sends the request to bank.com with your authentication cookies a...
Join discussion
