Security Knowledge Base

Authentication bypass lets attackers reach protected resources without credentials. The most embarrassing CVEs of the last decade. Patterns and root causes.

XSS lets attackers run their JavaScript in another visitor's browser. The three flavours, the modern defenses, and why CSP is necessary but not sufficient.

A database CVE matters less than whether the database is exposed to the internet. How to read MySQL, Postgres, Mongo and Redis CVEs in a scan report.

DoS bugs range from volumetric DDoS to single-packet protocol flaws and quadratic regex traps. What attackers gain by taking you offline, and what defends.

FTP has cleartext credentials and a long CVE history. The better question is whether to run FTP at all. Migration paths to SFTP and HTTPS uploads.

Every scan finding has a CVE, a CVSS score, sometimes an EPSS or KEV flag. How to read them and decide which vulnerabilities to fix first.

When an application reads attacker-shaped structured data, reading can quietly turn into running code. The bug class behind dozens of headline RCEs.

Mail servers parse attacker-supplied data on every connection. Bugs there usually mean pre-auth code execution. The Exim 2019 lessons and what to patch.

Most OpenSSH CVEs flagged by scanners are version-banner false positives. The actually exploitable ones are rare. How to triage SSH findings sensibly.

Path traversal lets attackers read or write files outside the directory your application meant to expose. Often the second step toward full server takeover.

A JavaScript bug class where attacker-controlled input rewrites Object.prototype, infecting every object the app creates. Path from a deep-merge bug to RCE.

RCE is the worst-case software bug: an internet attacker runs commands on your server. What enables it, what attackers do once inside, why patches cannot wait.

SQL injection lets attackers rewrite the queries your app sends to the database. Every record in every table, sometimes the OS underneath. Patterns and fixes.

SSRF lets attackers make web requests from your server to anywhere it can reach, including internal admin panels and cloud metadata. Capital One in one article.

A web server CVE sits at the front door and sees every request. Why these patches jump the queue, and what to do when an immediate update is not possible.

Your HTTPS works, but visitors typing the address without https:// still land on plain HTTP. A one-line redirect closes a real, frequently-exploited gap.

Your site is reachable only over plain HTTP. Every login, every form is readable on the network. How to add HTTPS for free with Let's Encrypt.

CSP lists trusted sources for scripts and styles. Without one, a single XSS bug becomes full account takeover. Starter policy and rollout in report-only mode.

HSTS tells browsers to always use HTTPS for your domain. Without it, the very first request is plain HTTP and a network attacker can keep visitors there.

Without a Referrer-Policy header, visitors leak the full URL (including tokens, search terms, IDs) to every external site they click. The one-line fix.

Without nosniff, browsers can guess that an uploaded file is a script and execute it. The one-line fix that closes a known XSS path on file uploads.

Without an embedding policy, attackers load your site inside theirs and trick visitors into clicking buttons they cannot see. The header that prevents it.

BIMI shows your verified company logo next to email in Gmail and Apple Mail. Setup requirements, VMC certificate cost, and how to deploy it.

Without a CAA DNS record, any of 90+ certificate authorities can issue HTTPS certs for your domain. How CAA prevents mis-issuance and how to add it.

DKIM signs outgoing email so receivers can verify it was not tampered with. Without it, messages drop to spam or get rejected. How to set DKIM up.

DMARC tells mail servers what to do with spoofed messages from your domain. Without it, even valid SPF and DKIM leak past most providers. Setup guide.

Your DMARC record exists but p=none means receivers only report failures, never block them. How to safely escalate to p=quarantine and p=reject.

DNSSEC cryptographically signs DNS answers so attackers cannot redirect your visitors or email. How DNSSEC works and how to enable it on your domain.

MTA-STS forces TLS on inbound mail. Without it, a network attacker can downgrade messages to plain text and read them. DNS records and policy file.

Without an SPF record, anyone on the internet can send email that claims to be from your domain. Why mail providers downgrade you and how to set SPF.

Email addresses and passwords from your domain have appeared in third-party breaches. Where the data comes from, how attackers use it, and what to do.

A consent management platform was detected on your site. Cookiebot, Usercentrics, Borlabs and others still need configuration to be GDPR-compliant.

Loading Google Fonts from fonts.googleapis.com sends visitor IPs to Google. Munich Court I awarded €100 damages. How to self-host the fonts in 5 minutes.

A live Google Maps iframe sends visitor IPs to Google before consent. Use a click-to-load placeholder or the static Maps API. Both work without a CMP.

German law (§5 TMG) requires a clearly labelled legal-notice page reachable in two clicks. Missing or hidden Impressums are a classic Abmahnung target.

GDPR Articles 13 and 14 require every website to publish a privacy policy. Missing or unreachable policies are an easy finding for regulators and competitors.

Google Analytics, Facebook Pixel or Hotjar firing before the consent banner is unlawful under GDPR and TDDDG §25. Why it triggers fines and how to fix it.

Your site loads tracking scripts without a consent banner. Under GDPR and TDDDG that triggers fines. Why it is worse than getting consent wrong.

A tracking cookie was written before the visitor accepted any banner. Under TDDDG §25 that is unlawful storage. Where the bug usually hides and how to fix.