The RestingOwl Blog
Expert advice on securing modern web applications, following OWASP standards.
What Is Cross-Site Scripting (XSS)? Types, Impact & How to Prevent It
XSS lets attackers inject malicious JavaScript into pages viewed by other users, enabling session hijacking and account takeover. Learn the three types, what attackers can do, and the OWASP prevention checklist.
JWT vs Session Tokens: Which Is More Secure?
Sessions are stateful and instantly revocable. JWTs are stateless but cannot be invalidated before expiry. A full security comparison across eight dimensions, with OWASP guidance on when to use each.
STRIDE vs DREAD vs PASTA vs LINDDUN: Which Threat Modeling Framework Should You Use?
STRIDE finds threats, DREAD ranks them, PASTA analyzes business impact, and LINDDUN covers privacy. These frameworks are complements, not alternatives: learn when to use each and how to combine them.
Passwordless Authentication with Magic Links: How It Works and Why It's Secure
A magic link is a one-time, time-limited URL sent to the user's email: no password required. Learn the security properties a proper implementation must meet, how magic links compare to passwords and passkeys, and common mistakes to avoid.
How to Check Breached Passwords Using the HaveIBeenPwned API in Node.js
Use the HaveIBeenPwned Pwned Passwords API with k-anonymity to detect breached passwords at registration: without sending the password or its full hash to any third party. Only the first 5 SHA-1 hash characters ever leave your server.
What is Threat Modeling and What Are the Methods to Do It?
Threat modeling is proactive security planning: thinking about how someone could break your system before they do. Learn the four foundational questions and frameworks like STRIDE, DREAD, PASTA, and LINDDUN.