Web App Security Glossary
54+ security terms explained in plain English for vibe coders and indie founders. Every term your scanner flags — demystified.
SQL Injection
checkedInjectionAn attack where malicious SQL is inserted into queries via unsanitized user input.
Cross-Site Scripting (XSS)
checkedInjectionAn attack where malicious scripts are injected into web pages viewed by other users.
Cross-Site Request Forgery (CSRF)
checkedAuthenticationAn attack that tricks authenticated users into performing unwanted actions on your app.
Server-Side Request Forgery (SSRF)
checkedServer-SideAn attack that tricks your server into making requests to internal or cloud metadata services.
Insecure Direct Object Reference (IDOR)
checkedAccess ControlA vulnerability where users can access other users' data by changing an ID parameter.
Path Traversal
checkedInjectionAn attack where file paths are manipulated to access restricted files on the server.
Remote Code Execution (RCE)
CriticalAn attack that allows arbitrary code execution on your server from a remote source.
Local File Inclusion (LFI)
InjectionAn attack that includes local files on the server through user-controlled input.
Remote File Inclusion (RFI)
InjectionAn attack that includes remote files from external servers through vulnerable includes.
CORS Misconfiguration
checkedAPI SecurityOverly permissive cross-origin resource sharing settings that expose your API.
Clickjacking
checkedClient-Side SecurityAn attack that tricks users into clicking invisible elements on a page.
Subdomain Takeover
checkedDNS SecurityClaiming an unclaimed external service pointed to by a subdomain's CNAME record.
JWT Attacks
checkedAuthenticationExploitation of weak JWT implementations including algorithm confusion and weak secrets.
Session Fixation
AuthenticationAn attack where an attacker sets a user's session ID to a known value.
Open Redirect
checkedInput ValidationA redirect endpoint that forwards users to arbitrary URLs without validation.
Mass Assignment
API SecurityBinding all request parameters to model attributes without filtering sensitive fields.
Broken Object Level Authorization (BOLA)
checkedAPI SecurityAPI vulnerability where object-level access controls are missing or broken.
API Key Exposure
checkedSecret ExposureAccidentally exposing API keys in client-side code or public repositories.
Secrets in Environment Variables
checkedSecret ExposureImproper management of secrets through environment variables in client-accessible contexts.
Supply Chain Attack
checkedSupply ChainMalicious code introduced through third-party dependencies or compromised packages.
Dependency Confusion
checkedSupply ChainInstalling a malicious public package with the same name as an internal private package.
Typosquatting
checkedSupply ChainRegistering packages with names similar to popular ones to trick developers into installing malware.
Prompt Injection
checkedAI SecurityManipulating an LLM's behavior by injecting malicious instructions into user input.
Jailbreak
AI SecurityBypassing an LLM's content safety filters with creative prompting.
Model Inversion
AI SecurityExtracting training data from a machine learning model through query-based attacks.
Training Data Poisoning
AI SecurityInjecting malicious data into a model's training set to corrupt its behavior.
RAG Poisoning
checkedAI SecurityInjecting malicious content into the knowledge base of a RAG system.
Insecure Deserialization
CriticalExecuting arbitrary code by manipulating serialized objects.
XML External Entity (XXE)
InjectionExploiting XML parsers to read internal files or perform SSRF.
HTTP Strict Transport Security (HSTS)
checkedSecurity HeadersA header that forces browsers to only access your site over HTTPS.
Content Security Policy (CSP)
checkedSecurity HeadersA security header that controls which resources can load on your page.
Cross-Origin Resource Sharing (CORS)
checkedAPI SecurityA browser mechanism controlling which origins can access your web resources.
Sender Policy Framework (SPF)
checkedEmail SecurityA DNS record that authorizes which servers can send email for your domain.
DomainKeys Identified Mail (DKIM)
checkedEmail SecurityA cryptographic email signature that verifies email authenticity.
Domain-based Message Authentication (DMARC)
checkedEmail SecurityA policy that tells receiving servers how to handle unauthenticated email.
DNSSEC
DNS SecurityA security extension that cryptographically signs DNS records to prevent spoofing.
Row Level Security (RLS)
checkedDatabase SecurityDatabase-level access control that restricts which rows users can see or modify.
Software Bill of Materials (SBOM)
Supply ChainA formal inventory of all components in your software.
Common Vulnerabilities and Exposures (CVE)
checkedVulnerability ManagementA standardized identifier for publicly known security vulnerabilities.
Common Vulnerability Scoring System (CVSS)
Vulnerability ManagementA standard for rating the severity of security vulnerabilities.
Common Weakness Enumeration (CWE)
Vulnerability ManagementA taxonomy of software weakness types.
Open Web Application Security Project (OWASP)
checkedStandardsA nonprofit foundation improving software security through open-source resources.
Zero-Day Vulnerability
Vulnerability ManagementA vulnerability that is exploited before the vendor knows about it or has a fix.
Penetration Testing
TestingAuthorized simulated attacks to identify security vulnerabilities.
Dynamic Application Security Testing (DAST)
checkedTestingAutomated security testing against running applications.
Static Application Security Testing (SAST)
TestingAutomated source code analysis for security vulnerabilities.
Software Composition Analysis (SCA)
checkedTestingAutomated analysis of open-source components for known vulnerabilities.
Infrastructure as Code (IaC) Scanning
Cloud SecurityAutomated security scanning of infrastructure templates and configuration files.
Cloud Security Posture Management (CSPM)
Cloud SecurityAutomated detection and remediation of cloud infrastructure risks.
Rate Limiting
checkedAPI SecurityRestricting the number of requests a client can make within a time window.
Webhook Signature Verification
checkedAPI SecurityCryptographically verifying that webhook events come from the expected service.
Differential Privacy
PrivacyA mathematical framework for ensuring individual data cannot be inferred from query results.
Authentication Bypass
checkedAuthenticationCircumventing login or identity verification mechanisms.
Server-Side Template Injection (SSTI)
InjectionInjecting malicious template directives to achieve RCE on the server.
See which security issues your app has
Scan in 25 seconds — no install, no code access required.
Scan My App →