Security glossary

A vulnerability where an API exposes an object by its identifier without verifying that the requesting user is authorized to access that specific object.

A classic authorization bug where internal object identifiers are exposed client-side and used without ownership verification.

A PostgreSQL feature (used heavily by Supabase) that restricts which rows a database user can read or write via policies attached to tables.

An attack where a malicious site triggers a state-changing request against your app while your user is logged in, using the user's cookies.

A compact, URL-safe token format for transmitting claims between parties, cryptographically signed by the issuer.

An open standard for delegated authorization — letting an app access a resource on behalf of a user without sharing the user's password.

An authentication method that requires two or more verification factors — something you know, something you have, or something you are.

An extension to OAuth 2.0 Authorization Code flow that protects against code interception for public clients (SPAs, mobile apps).

A principle stating that every user, process, or system should have only the minimum permissions required to perform its function.

A W3C standard for strong, phishing-resistant authentication using public-key cryptography tied to the user's device or security key.

A passwordless credential built on WebAuthn that syncs across the user's devices via iCloud Keychain, Google Password Manager, or a password manager.

An authorization model where users are assigned roles, and roles are granted permissions.

An attack where attacker-controlled JavaScript executes in another user's browser in the context of your application.

An attack where attacker-controlled input is interpolated into a SQL query, letting the attacker execute arbitrary SQL.

An HTTP response header that tells the browser which sources are allowed for scripts, styles, images, and other resources, limiting the impact of XSS.

An attack where a crafted input triggers catastrophic backtracking in a regular-expression engine, hanging the process.

The ability for an attacker to execute arbitrary code on a remote server.

An attack where an attacker causes a server to make HTTP requests to destinations chosen by the attacker — often internal networks or cloud metadata endpoints.

An HTTP response header that tells browsers to only ever contact the domain over HTTPS for a specified duration.

An HTTP-layer filter that inspects incoming traffic and blocks requests matching attack patterns like SQL injection, XSS, or known CVE exploitation.

Hardware-isolated compute enclaves that run code and process data invisibly to the host operating system and operator.

Any credential whose compromise would lead to abuse: API keys, database passwords, signing secrets, private keys.

A security framework for supply-chain integrity — a checklist + standards for how build artifacts are produced, signed, and verified.

A complete inventory of every component in a software product — libraries, dependencies, versions, licenses.

An attack where untrusted content (a user message, a document, an email) contains instructions that alter the behavior of an LLM-powered application.

A transparency document listing every AI model a product uses — with role, license, residency, and retention.

A globally-unique identifier for a specific disclosed software vulnerability.

Security testing that analyzes source code or build artifacts without executing the code.

Security testing that runs against a deployed application, sending requests and observing responses.

A hybrid testing approach that instruments a running application to observe security-relevant behavior during test execution.

A compliance framework developed by the AICPA for service organizations, focused on security, availability, processing integrity, confidentiality, and privacy.

A security model where no request is trusted by default — every identity, device, and network path must be verified regardless of its origin.

A security strategy layering multiple independent controls so no single failure exposes the system.

A standard for rating the severity of software vulnerabilities on a 0.0 – 10.0 numeric scale.

A nonprofit that publishes open security resources, most famously the OWASP Top 10 and OWASP API Top 10 lists of most-common vulnerabilities.

US government agency that publishes many security standards: NIST 800-53 (controls), NIST CSF (framework), NVD (vulnerability database), PQC (post-quantum) standards.

A structured process to identify, enumerate, and prioritize the ways an attacker could compromise a system.

An authorized simulated attack on a system to identify exploitable vulnerabilities — conducted by humans or autonomous tools.

A policy inviting security researchers to report vulnerabilities in exchange for recognition or monetary reward.

The practice of integrating security into every stage of the DevOps lifecycle — from design to deployment to runtime.

Moving security activities earlier in the development lifecycle — from post-deployment audits to pre-merge code review.