Glossary
Security terms, in plain English
17 definitions of the security concepts that come up in our scanner. No jargon, no condescension.
- CSP
Content Security Policy
CSP is a browser feature that tells your site which scripts, styles, and images are allowed to run. It is the main defense against cross-site scripting (XSS).
Read more - CORS
Cross-Origin Resource Sharing
CORS is a browser mechanism that controls which websites can call your API. Misconfigurations can open your app to cross-site attacks.
Read more - CSRF
Cross-Site Request Forgery
CSRF tricks a logged-in user into performing actions on your site without realizing. SameSite cookies are the modern defense.
Read more - XSS
Cross-Site Scripting
XSS is an attack where malicious JavaScript gets injected into your site and runs in other users' browsers. CSP and input sanitization are the main defenses.
Read more - DMARC
Domain-based Message Authentication, Reporting & Conformance
DMARC tells receiving mail servers what to do with email that fails SPF or DKIM checks. The single most important email security record.
Read more - DKIM
DomainKeys Identified Mail
DKIM is a digital signature on outgoing email, letting receivers verify it came from you and was not tampered with.
Read more Firebase
Google's backend-as-a-service with Firestore, Auth, and Storage. Security rules are the critical layer.
Read more- HSTS
HTTP Strict Transport Security
HSTS is an HTTP response header that tells browsers to only connect to your site over HTTPS, even if a user types `http://`. It stops SSL stripping attacks.
Read more Mixed Content
When an HTTPS page loads resources over HTTP, breaking the HTTPS guarantee. Browsers block most of it automatically.
Read more- RLS
Row Level Security
RLS is a Postgres feature that Supabase uses to enforce per-row access control. With RLS off, the anon key gives anyone full table access.
Read more SameSite Cookie Attribute
SameSite controls whether the browser sends your cookie on cross-site requests. The main defense against CSRF.
Read moreSecurity Headers
A set of HTTP response headers that harden your site against common web attacks. Every site should send all six.
Read more- SPF
Sender Policy Framework
SPF is a DNS record listing which IP addresses are allowed to send email from your domain. The first line of email authentication.
Read more SQL Injection
SQL injection is when user input modifies your database query. Parameterized queries (not string concatenation) prevent it.
Read moreSSL / TLS
The encryption protocols that power HTTPS. TLS 1.2 and 1.3 are current; older versions are deprecated.
Read moreSupabase
An open-source backend-as-a-service built on Postgres. Popular with AI tools for its simple API, but RLS misconfigurations are common.
Read moreX-Frame-Options
A response header that stops other sites from embedding your page in an iframe, preventing clickjacking attacks.
Read more