Free Resource

Security glossary for founders

31+ security terms explained in plain English. No jargon, no prerequisites — just clear definitions for the concepts that matter most for your app.

A
API Key
A secret password for a service (like OpenAI, Stripe, or Supabase). When you put an API key in your code, you're trusting that code to keep the secret safe. If the key ends up in client-side JavaScript, anyone can read it and use the service on your account.
Authentication
The process of verifying who someone is — "are you who you claim to be?" In web apps, this usually means checking a username and password, or a session token. Authentication is different from authorization (what you're allowed to do).
Authorization
The process of deciding what an authenticated user is allowed to do. "You're logged in — but are you allowed to see this data?" Authentication says who you are; authorization says what you can access.
B
Brute Force Attack
An attacker trying many passwords or keys automatically until one works. Without rate limiting on your login endpoint, a script can try thousands of passwords per minute. Strong password requirements and rate limiting prevent this.
C
CORS (Cross-Origin Resource Sharing)
A browser rule that controls which websites can make requests to your API. If your CORS policy is set to wildcard (*), any website can make requests to your API using your users' credentials. You should only allow requests from your own domain.
Content-Security-Policy (CSP)
A security header that tells browsers which scripts and resources are allowed to run on your page. Without CSP, a cross-site scripting (XSS) vulnerability lets an attacker run any script. With CSP, only approved sources can run scripts.
CSRF (Cross-Site Request Forgery)
An attack where a malicious website tricks a logged-in user's browser into making requests to your app without their knowledge. For example, visiting an attacker's page could silently delete your account data on another site where you're logged in.
D
Data Breach
When private data is accessed by someone who shouldn't have access to it. Breaches happen through vulnerabilities like exposed database credentials, SQL injection, or misconfigured access controls. After a breach, you may be legally required to notify affected users.
E
Encryption
Converting data into a form that can only be read with the right key. "Encrypted at rest" means data stored in your database is scrambled. "Encrypted in transit" means data travelling between your users and your server is protected. HTTPS provides encryption in transit.
Environment Variable
A way to store configuration values (like API keys) separately from your code. Environment variables are set on the server and are not included in your deployed JavaScript. The risk: in Next.js, variables prefixed with NEXT_PUBLIC_ are included in client-side code and visible to users.
H
HTTPS (HyperText Transfer Protocol Secure)
The encrypted version of HTTP. When your app uses HTTPS, data between your users and your server is encrypted and cannot be read by someone watching the network. Without HTTPS, passwords and session tokens travel in plaintext.
HSTS (HTTP Strict Transport Security)
A security header that tells browsers to always use HTTPS for your domain, even if someone types http://. Without HSTS, a user's first visit could happen over HTTP before being redirected — a window for interception.
I
Injection Attack
A category of attacks where malicious code is inserted into user input and then executed by your application. SQL injection targets databases; command injection targets server commands; XSS targets the browser. The fix is always the same: never trust user input, always sanitize or use parameterized queries.
J
JWT (JSON Web Token)
A compact, URL-safe token used for authentication. JWTs contain user information and are signed to prevent tampering. Supabase and many auth systems use JWTs as session tokens. If a JWT ends up in your page source or client JavaScript, an attacker can use it to impersonate users.
M
MITM (Man-in-the-Middle Attack)
An attack where someone intercepts the communication between a user and your server. On public Wi-Fi, an attacker can see all HTTP traffic. HTTPS prevents MITM attacks by encrypting the communication. This is why HTTPS is non-negotiable for any app that handles user data.
O
OWASP
The Open Web Application Security Project — a non-profit that publishes free security resources. Their "Top 10" list is the industry standard checklist of the most critical web vulnerabilities. It's updated regularly and freely available at owasp.org.
Open Redirect
A vulnerability where your app can be tricked into redirecting users to an external URL. An attacker can craft a link to your login page that redirects to their phishing site after login, making the phishing link appear to come from your domain.
R
Rate Limiting
Restricting how many requests a user or IP address can make in a given time window. Without rate limiting on login endpoints, attackers can try thousands of passwords automatically. Without rate limiting on API endpoints, attackers can scrape your data or run up your usage costs.
RLS (Row Level Security)
A Supabase (PostgreSQL) feature that adds access control rules at the database level. With RLS enabled, database queries automatically filter to only return rows the current user is allowed to see. Without RLS, any authenticated user can query any row in any table.
robots.txt
A file at the root of your website that tells search engine crawlers which pages to index. Security risk: robots.txt is public. If you list paths like /admin or /api in robots.txt to block crawlers, you're also telling attackers exactly which sensitive paths exist.
S
Security Header
HTTP response headers that tell browsers how to behave securely when displaying your app. The most important ones are Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, and X-Content-Type-Options. Most AI-generated apps don't include these by default.
Session
A temporary connection between a user and your app after they log in. Sessions are tracked with a session token (usually a cookie or JWT). Security requirements: sessions should expire after inactivity, and logging out should invalidate the session token server-side.
SQL Injection
An attack that inserts malicious SQL code into user input that gets executed by your database. Example: a search field that inserts the search term directly into a SQL query can be exploited to delete tables, extract all data, or bypass authentication. The fix: use parameterized queries or an ORM.
SSL Certificate
A digital certificate that enables HTTPS by proving your server is who it claims to be and enabling encryption. Modern hosting platforms (Vercel, Netlify, Fly.io) provision SSL certificates automatically. On custom domains with self-managed hosting, this requires manual setup.
SSRF (Server-Side Request Forgery)
An attack where an attacker tricks your server into making HTTP requests to internal services that should only be accessible from inside your infrastructure. Relevant if your app fetches URLs provided by users — an attacker might provide an internal IP address to access internal services.
Supply Chain Attack
An attack targeting your app's dependencies (npm packages, CDN scripts) rather than your code directly. If an attacker compromises a package you use, malicious code runs in your app automatically on the next install or update. Keep dependencies updated and use Subresource Integrity (SRI) for external scripts.
T
TLS (Transport Layer Security)
The modern encryption protocol that powers HTTPS. When you see "SSL" mentioned in security contexts, it usually means TLS — SSL is the older predecessor. When your hosting says "SSL certificate," it actually issues a TLS certificate. Both mean the same thing for most practical purposes.
V
Vulnerability
A weakness in your app that an attacker could exploit. Vulnerabilities are not the same as bugs — your app can work correctly and still have vulnerabilities. Exposed API keys, missing CORS restrictions, and disabled database access controls are all vulnerabilities.
X
X-Frame-Options
A security header that prevents your app from being embedded in an iframe on other websites. Without it, an attacker can create a malicious page that overlays an invisible iframe of your app over their content — tricking users into clicking buttons they can't see. Set this to DENY.
XSS (Cross-Site Scripting)
An attack where an attacker injects malicious JavaScript into a page that other users see. In a stored XSS attack, malicious input is saved to the database and runs for every user who views it. The fix: sanitize all user input before displaying it, and use Content-Security-Policy headers.
Z
Zero-Day
A vulnerability that is unknown to the software vendor and therefore has no patch available ("zero days" for developers to fix it). For most founders, zero-days in major frameworks are rare — the more common risk is known vulnerabilities that you haven't patched, or configuration issues that are your own responsibility.

Check your app for real vulnerabilities

VibeScan automatically detects the most common issues — HTTPS, CORS, security headers, and exposed secrets — in under 60 seconds.

Scan my app free →