Security

The Common Weakness Enumeration (CWE) is a community-developed catalog of software and hardware security weaknesses maintained by the MITRE Corporation. It assigns each type of vulnerability a unique identifier, a description, and guidance on prevention. If you work in application security — or write code that needs to be secure — CWE is a foundational reference. What CWE Is (and Is Not) CWE describes types of weaknesses, not specific bugs in specific software. A single CWE entry like CWE-79 (Cross-Site Scripting) covers every instance of that weakness across every application that has ever been vulnerable to it. ...

XML External Entity (XXE) injection exploits applications that parse XML input without disabling external entity resolution. If the XML parser is misconfigured (which many are by default), an attacker can define custom entities that read local files, make network requests, or cause denial of service. These payloads are for authorized security testing only. What is XXE? When an XML parser processes a document, it can resolve entities defined in the DOCTYPE declaration. External entities use the SYSTEM keyword to reference files or URLs. If the parser resolves these without restriction, the attacker controls what the server reads and where it sends data. ...

Content Security Policy (CSP) is a browser security mechanism that controls which resources a web page is allowed to load. By declaring a policy via HTTP header, you tell the browser exactly which scripts, styles, images, fonts, and connections are permitted. Anything not explicitly allowed is blocked. CSP is one of the most effective defenses against Cross-Site Scripting (XSS) and data injection attacks. How CSP Works CSP is delivered as an HTTP response header: ...