RestingOwl owl logo RestingOwl

The RestingOwl Blog

Expert advice on securing modern web applications, following OWASP standards.

Jul 13, 2026 · 8 min read

Brute Force vs Credential Stuffing vs Password Spraying

Three automated login attacks that are often confused. Compare how each one guesses passwords and which defence, from account lockout to MFA, actually stops it.

Brute ForceCredential StuffingPassword SprayingAuthenticationOWASP
Jul 13, 2026 · 9 min read

Multi-Factor Authentication (MFA): A Simple Guide

MFA blocks most account takeover by asking for more than a password. Compare TOTP, passkeys, push, and SMS, and roll MFA out without locking users out.

MFA2FAAuthenticationTOTPOWASP
Jul 13, 2026 · 9 min read

Password Hashing Explained: bcrypt vs Argon2

Storing passwords safely means a slow salted hash, not MD5 or SHA-256. Compare bcrypt vs Argon2id, learn what a salt does, and follow the OWASP storage checklist.

Password HashingbcryptArgon2AuthenticationOWASP
Jul 13, 2026 · 9 min read

CORS Explained: How Cross-Origin Requests Work

CORS controls which sites can read your server's responses. Learn the same-origin policy, preflight requests, the dangerous misconfigurations, and how to set it up safely.

CORSWeb SecuritySame-Origin PolicyAPI SecurityOWASP
Jul 13, 2026 · 9 min read

OAuth 2.0 and OpenID Connect Security Made Simple

OAuth and OpenID Connect explained in plain terms: the difference between them, the safe authorization code flow with PKCE, redirect and state checks, and token validation.

OAuthOpenID ConnectAuthenticationSecurityOWASP
Jul 13, 2026 · 8 min read

Secure File Uploads: How to Handle User Files Safely

Why file uploads are risky and how to handle them: validate the real file type, limit size, rename files, store them outside the web root, and serve downloads safely.

File UploadsSecurityOWASPWeb SecurityASVS
Jul 13, 2026 · 8 min read

HTTPS and TLS Security: A Plain Guide for Developers

What TLS and HTTPS protect, why HSTS matters, which TLS versions and settings to use, and why internal service traffic needs encryption too.

TLSHTTPSSecurityOWASPWeb Security
Jul 13, 2026 · 8 min read

Secure Configuration and Secrets Management Explained

Keep API keys out of code and git, use a secret manager, rotate secrets, turn off debug and default accounts, and avoid the misconfigurations that cause breaches.

ConfigurationSecrets ManagementSecurityOWASPDevSecOps
Jul 13, 2026 · 8 min read

Data Protection in Web Apps: A Simple Developer Guide

Classify sensitive data, collect less, encrypt in transit and at rest, control caching of private pages, and set safe retention to shrink your breach risk.

Data ProtectionPrivacySecurityOWASPWeb Security
Jul 13, 2026 · 8 min read

WebRTC Security: How to Keep Calls and Data Safe

WebRTC media is encrypted by default, but you still must secure signaling and TURN servers. Learn the risks: relay abuse, session hijacking, and IP address leaks.

WebRTCSecurityOWASPReal TimeWeb Security
Jul 4, 2026 · 10 min read

Content Security Policy (CSP): A Practical Guide to Stopping XSS

How a CSP header stops XSS: the key directives, building a strict nonce-based policy, safe report-only rollout, and the common mistakes that make a policy useless.

CSPXSSSecurityOWASPWeb Security
Jul 4, 2026 · 9 min read

Password Spraying: How It Works and How to Prevent It

Password spraying tries one common password against many accounts to slip past lockout. How it differs from brute force and credential stuffing, detection signals, and OWASP defenses.

Password SprayingAuthenticationSecurityOWASPBrute Force
Jun 28, 2026 · 10 min read

Rate Limiting and Account Lockout: Stop Brute Force Attacks

Rate limiting vs account lockout: how each stops brute force and credential stuffing, the four limiting algorithms with a code example, and OWASP best practices for combining them safely.

AuthenticationSecurityOWASPBrute ForceRate Limiting
Jun 28, 2026 · 10 min read

SQL Injection: How It Works and How to Prevent It

SQL injection explained with a vulnerable code example: the types, what attackers can do, and how to prevent it with parameterized queries, ORMs, and least privilege.

SQL InjectionSecurityOWASPInjectionWeb Security
Jun 28, 2026 · 10 min read

Session Management and Secure Cookies: A Developer's Guide

How sessions and cookies work, the HttpOnly, Secure and SameSite flags, session hijacking and fixation, and the OWASP session security checklist.

AuthenticationSecurityOWASPCookiesWeb Security
Jun 28, 2026 · 9 min read

CSRF (Cross-Site Request Forgery): Attacks and Defenses

How CSRF works, how it differs from XSS, and how to prevent it with anti-CSRF tokens, SameSite cookies, and Origin checks.

CSRFSecurityOWASPWeb SecurityCookies
Jun 28, 2026 · 9 min read

Types of XSS: Stored, Reflected and DOM-Based Explained

The three types of cross-site scripting explained with a vulnerable code example, a real attack payload, and the fix for each: stored, reflected, and DOM-based XSS, plus a side-by-side comparison.

XSSSecurityOWASPWeb SecurityInjection
Jun 19, 2026 · 10 min read

What Is Credential Stuffing? How It Works and How to Stop It

Credential stuffing replays stolen username and password pairs from data breaches at scale. Learn how it differs from brute force, how attacks are automated, and the OWASP checklist to stop them.

Credential StuffingAuthenticationOWASPSecurityNode.jsPassword Security
Jun 19, 2026 · 9 min read

Brute Force Attacks: How They Work and How to Prevent Them

Brute force attacks try every possible password until one works. Learn the different attack types, why they still succeed, how account lockout and rate limiting work, and the OWASP ASVS prevention controls.

Brute ForceAuthenticationSecurityOWASPNode.jsRate Limiting
Jun 2, 2026 · 9 min read

Excessive Agency in AI Agents: When Your AI Has Too Much Power

Excessive agency is OWASP LLM06: giving an AI agent more tools, permissions, or autonomy than it needs. Combined with prompt injection, every permission the agent holds becomes available to an attacker. Learn how to apply the principle of least privilege to AI.

AI AgentsExcessive AgencyLLM SecurityAI SecurityOWASP
Jun 2, 2026 · 10 min read

What Is Prompt Injection? The SQL Injection of the AI Era

Prompt injection lets attackers redirect an AI agent's behaviour by embedding malicious instructions in content the model reads. Learn the difference between direct and indirect injection, the damage each can cause, and the layered defences that reduce the risk.

Prompt InjectionAI SecurityLLM SecurityAI AgentsOWASP
Jun 2, 2026 · 14 min read

The OWASP Top 10 for LLM Applications: What Every Developer Needs to Know

The OWASP Top 10 for LLM Applications covers the ten most critical risks in AI systems. This guide explains all ten: from prompt injection and excessive agency to data poisoning and supply chain vulnerabilities, with prevention steps for each.

OWASPLLM SecurityAI SecurityPrompt InjectionAI Agents
Jun 2, 2026 · 11 min read

What Is an AI Agent? A Security Engineer's Mental Model

An AI agent uses an LLM to perceive, decide, and act autonomously: calling tools, reading files, and chaining steps. Learn the four core components, the autonomous loop, and the attack surface each one introduces that traditional app security cannot cover.

AI SecurityAI AgentsLLM SecurityAgentic AIMachine Learning
May 14, 2026 · 10 min read

What Is Cross-Site Scripting (XSS)? Impact and Prevention

XSS lets attackers inject malicious JavaScript into pages viewed by other users, enabling session hijacking and account takeover. Learn the three types, what attackers can do, and the OWASP prevention checklist.

XSSSecurityOWASPWeb SecurityCSP
May 14, 2026 · 10 min read

JWT vs Session Tokens: Which Is More Secure?

Sessions are stateful and instantly revocable. JWTs are stateless but cannot be invalidated before expiry. A full security comparison across eight dimensions, with OWASP guidance on when to use each.

JWTSessionsAuthenticationSecurityOWASP
May 14, 2026 · 9 min read

STRIDE vs DREAD vs PASTA vs LINDDUN: Which Threat Modeling Framework Should You Use?

STRIDE finds threats, DREAD ranks them, PASTA analyzes business impact, and LINDDUN covers privacy. These frameworks are complements, not alternatives: learn when to use each and how to combine them.

Threat ModelingSTRIDEDREADPASTALINDDUN
May 14, 2026 · 8 min read

Passwordless Authentication with Magic Links: How It Works and Why It's Secure

A magic link is a one-time, time-limited URL sent to the user's email: no password required. Learn the security properties a proper implementation must meet, how magic links compare to passwords and passkeys, and common mistakes to avoid.

AuthenticationMagic LinksPasswordlessSecurityNode.js
May 14, 2026 · 7 min read

How to Check Breached Passwords Using the HaveIBeenPwned API in Node.js

Use the HaveIBeenPwned Pwned Passwords API with k-anonymity to detect breached passwords at registration: without sending the password or its full hash to any third party. Only the first 5 SHA-1 hash characters ever leave your server.

SecurityAuthenticationHaveIBeenPwnedNode.jsOWASP
May 13, 2026 · 10 min read

What is Threat Modeling and What Are the Methods to Do It?

Threat modeling is proactive security planning: thinking about how someone could break your system before they do. Learn the four foundational questions and frameworks like STRIDE, DREAD, PASTA, and LINDDUN.

SecurityThreat ModelingOWASPSTRIDEDREAD

Blog FAQ

We'd love to hear from you! If you have a security-focused topic or an OWASP guide you'd like to share, please reach out to us on LinkedIn or click on the "Join the Community" link on home page.
Copied!