Skip to content

Web App Security Glossary

54+ security terms explained in plain English for vibe coders and indie founders. Every term your scanner flags — demystified.

SQL Injection

checkedInjection

An attack where malicious SQL is inserted into queries via unsanitized user input.

Cross-Site Scripting (XSS)

checkedInjection

An attack where malicious scripts are injected into web pages viewed by other users.

Cross-Site Request Forgery (CSRF)

checkedAuthentication

An attack that tricks authenticated users into performing unwanted actions on your app.

Server-Side Request Forgery (SSRF)

checkedServer-Side

An attack that tricks your server into making requests to internal or cloud metadata services.

Insecure Direct Object Reference (IDOR)

checkedAccess Control

A vulnerability where users can access other users' data by changing an ID parameter.

Path Traversal

checkedInjection

An attack where file paths are manipulated to access restricted files on the server.

Remote Code Execution (RCE)

Critical

An attack that allows arbitrary code execution on your server from a remote source.

Local File Inclusion (LFI)

Injection

An attack that includes local files on the server through user-controlled input.

Remote File Inclusion (RFI)

Injection

An attack that includes remote files from external servers through vulnerable includes.

CORS Misconfiguration

checkedAPI Security

Overly permissive cross-origin resource sharing settings that expose your API.

Clickjacking

checkedClient-Side Security

An attack that tricks users into clicking invisible elements on a page.

Subdomain Takeover

checkedDNS Security

Claiming an unclaimed external service pointed to by a subdomain's CNAME record.

JWT Attacks

checkedAuthentication

Exploitation of weak JWT implementations including algorithm confusion and weak secrets.

Session Fixation

Authentication

An attack where an attacker sets a user's session ID to a known value.

Open Redirect

checkedInput Validation

A redirect endpoint that forwards users to arbitrary URLs without validation.

Mass Assignment

API Security

Binding all request parameters to model attributes without filtering sensitive fields.

Broken Object Level Authorization (BOLA)

checkedAPI Security

API vulnerability where object-level access controls are missing or broken.

API Key Exposure

checkedSecret Exposure

Accidentally exposing API keys in client-side code or public repositories.

Secrets in Environment Variables

checkedSecret Exposure

Improper management of secrets through environment variables in client-accessible contexts.

Supply Chain Attack

checkedSupply Chain

Malicious code introduced through third-party dependencies or compromised packages.

Dependency Confusion

checkedSupply Chain

Installing a malicious public package with the same name as an internal private package.

Typosquatting

checkedSupply Chain

Registering packages with names similar to popular ones to trick developers into installing malware.

Prompt Injection

checkedAI Security

Manipulating an LLM's behavior by injecting malicious instructions into user input.

Jailbreak

AI Security

Bypassing an LLM's content safety filters with creative prompting.

Model Inversion

AI Security

Extracting training data from a machine learning model through query-based attacks.

Training Data Poisoning

AI Security

Injecting malicious data into a model's training set to corrupt its behavior.

RAG Poisoning

checkedAI Security

Injecting malicious content into the knowledge base of a RAG system.

Insecure Deserialization

Critical

Executing arbitrary code by manipulating serialized objects.

XML External Entity (XXE)

Injection

Exploiting XML parsers to read internal files or perform SSRF.

HTTP Strict Transport Security (HSTS)

checkedSecurity Headers

A header that forces browsers to only access your site over HTTPS.

Content Security Policy (CSP)

checkedSecurity Headers

A security header that controls which resources can load on your page.

Cross-Origin Resource Sharing (CORS)

checkedAPI Security

A browser mechanism controlling which origins can access your web resources.

Sender Policy Framework (SPF)

checkedEmail Security

A DNS record that authorizes which servers can send email for your domain.

DomainKeys Identified Mail (DKIM)

checkedEmail Security

A cryptographic email signature that verifies email authenticity.

Domain-based Message Authentication (DMARC)

checkedEmail Security

A policy that tells receiving servers how to handle unauthenticated email.

DNSSEC

DNS Security

A security extension that cryptographically signs DNS records to prevent spoofing.

Row Level Security (RLS)

checkedDatabase Security

Database-level access control that restricts which rows users can see or modify.

Software Bill of Materials (SBOM)

Supply Chain

A formal inventory of all components in your software.

Common Vulnerabilities and Exposures (CVE)

checkedVulnerability Management

A standardized identifier for publicly known security vulnerabilities.

Common Vulnerability Scoring System (CVSS)

Vulnerability Management

A standard for rating the severity of security vulnerabilities.

Common Weakness Enumeration (CWE)

Vulnerability Management

A taxonomy of software weakness types.

Open Web Application Security Project (OWASP)

checkedStandards

A nonprofit foundation improving software security through open-source resources.

Zero-Day Vulnerability

Vulnerability Management

A vulnerability that is exploited before the vendor knows about it or has a fix.

Penetration Testing

Testing

Authorized simulated attacks to identify security vulnerabilities.

Dynamic Application Security Testing (DAST)

checkedTesting

Automated security testing against running applications.

Static Application Security Testing (SAST)

Testing

Automated source code analysis for security vulnerabilities.

Software Composition Analysis (SCA)

checkedTesting

Automated analysis of open-source components for known vulnerabilities.

Infrastructure as Code (IaC) Scanning

Cloud Security

Automated security scanning of infrastructure templates and configuration files.

Cloud Security Posture Management (CSPM)

Cloud Security

Automated detection and remediation of cloud infrastructure risks.

Rate Limiting

checkedAPI Security

Restricting the number of requests a client can make within a time window.

Webhook Signature Verification

checkedAPI Security

Cryptographically verifying that webhook events come from the expected service.

Differential Privacy

Privacy

A mathematical framework for ensuring individual data cannot be inferred from query results.

Authentication Bypass

checkedAuthentication

Circumventing login or identity verification mechanisms.

Server-Side Template Injection (SSTI)

Injection

Injecting malicious template directives to achieve RCE on the server.

See which security issues your app has

Scan in 25 seconds — no install, no code access required.

Scan My App →
Security Glossary | Vezraa