The RestingOwl Blog
Expert advice on securing modern web applications, following OWASP standards.
Brute Force vs Credential Stuffing vs Password Spraying
Three automated login attacks that are often confused. Compare how each one guesses passwords and which defence, from account lockout to MFA, actually stops it.
Multi-Factor Authentication (MFA): A Simple Guide
MFA blocks most account takeover by asking for more than a password. Compare TOTP, passkeys, push, and SMS, and roll MFA out without locking users out.
Password Hashing Explained: bcrypt vs Argon2
Storing passwords safely means a slow salted hash, not MD5 or SHA-256. Compare bcrypt vs Argon2id, learn what a salt does, and follow the OWASP storage checklist.
CORS Explained: How Cross-Origin Requests Work
CORS controls which sites can read your server's responses. Learn the same-origin policy, preflight requests, the dangerous misconfigurations, and how to set it up safely.
OAuth 2.0 and OpenID Connect Security Made Simple
OAuth and OpenID Connect explained in plain terms: the difference between them, the safe authorization code flow with PKCE, redirect and state checks, and token validation.
Secure File Uploads: How to Handle User Files Safely
Why file uploads are risky and how to handle them: validate the real file type, limit size, rename files, store them outside the web root, and serve downloads safely.
HTTPS and TLS Security: A Plain Guide for Developers
What TLS and HTTPS protect, why HSTS matters, which TLS versions and settings to use, and why internal service traffic needs encryption too.
Secure Configuration and Secrets Management Explained
Keep API keys out of code and git, use a secret manager, rotate secrets, turn off debug and default accounts, and avoid the misconfigurations that cause breaches.
Data Protection in Web Apps: A Simple Developer Guide
Classify sensitive data, collect less, encrypt in transit and at rest, control caching of private pages, and set safe retention to shrink your breach risk.
WebRTC Security: How to Keep Calls and Data Safe
WebRTC media is encrypted by default, but you still must secure signaling and TURN servers. Learn the risks: relay abuse, session hijacking, and IP address leaks.
Content Security Policy (CSP): A Practical Guide to Stopping XSS
How a CSP header stops XSS: the key directives, building a strict nonce-based policy, safe report-only rollout, and the common mistakes that make a policy useless.
Password Spraying: How It Works and How to Prevent It
Password spraying tries one common password against many accounts to slip past lockout. How it differs from brute force and credential stuffing, detection signals, and OWASP defenses.
Rate Limiting and Account Lockout: Stop Brute Force Attacks
Rate limiting vs account lockout: how each stops brute force and credential stuffing, the four limiting algorithms with a code example, and OWASP best practices for combining them safely.
SQL Injection: How It Works and How to Prevent It
SQL injection explained with a vulnerable code example: the types, what attackers can do, and how to prevent it with parameterized queries, ORMs, and least privilege.
Session Management and Secure Cookies: A Developer's Guide
How sessions and cookies work, the HttpOnly, Secure and SameSite flags, session hijacking and fixation, and the OWASP session security checklist.
CSRF (Cross-Site Request Forgery): Attacks and Defenses
How CSRF works, how it differs from XSS, and how to prevent it with anti-CSRF tokens, SameSite cookies, and Origin checks.
Types of XSS: Stored, Reflected and DOM-Based Explained
The three types of cross-site scripting explained with a vulnerable code example, a real attack payload, and the fix for each: stored, reflected, and DOM-based XSS, plus a side-by-side comparison.
What Is Credential Stuffing? How It Works and How to Stop It
Credential stuffing replays stolen username and password pairs from data breaches at scale. Learn how it differs from brute force, how attacks are automated, and the OWASP checklist to stop them.
Brute Force Attacks: How They Work and How to Prevent Them
Brute force attacks try every possible password until one works. Learn the different attack types, why they still succeed, how account lockout and rate limiting work, and the OWASP ASVS prevention controls.
Excessive Agency in AI Agents: When Your AI Has Too Much Power
Excessive agency is OWASP LLM06: giving an AI agent more tools, permissions, or autonomy than it needs. Combined with prompt injection, every permission the agent holds becomes available to an attacker. Learn how to apply the principle of least privilege to AI.
What Is Prompt Injection? The SQL Injection of the AI Era
Prompt injection lets attackers redirect an AI agent's behaviour by embedding malicious instructions in content the model reads. Learn the difference between direct and indirect injection, the damage each can cause, and the layered defences that reduce the risk.
The OWASP Top 10 for LLM Applications: What Every Developer Needs to Know
The OWASP Top 10 for LLM Applications covers the ten most critical risks in AI systems. This guide explains all ten: from prompt injection and excessive agency to data poisoning and supply chain vulnerabilities, with prevention steps for each.
What Is an AI Agent? A Security Engineer's Mental Model
An AI agent uses an LLM to perceive, decide, and act autonomously: calling tools, reading files, and chaining steps. Learn the four core components, the autonomous loop, and the attack surface each one introduces that traditional app security cannot cover.
What Is Cross-Site Scripting (XSS)? Impact and Prevention
XSS lets attackers inject malicious JavaScript into pages viewed by other users, enabling session hijacking and account takeover. Learn the three types, what attackers can do, and the OWASP prevention checklist.
JWT vs Session Tokens: Which Is More Secure?
Sessions are stateful and instantly revocable. JWTs are stateless but cannot be invalidated before expiry. A full security comparison across eight dimensions, with OWASP guidance on when to use each.
STRIDE vs DREAD vs PASTA vs LINDDUN: Which Threat Modeling Framework Should You Use?
STRIDE finds threats, DREAD ranks them, PASTA analyzes business impact, and LINDDUN covers privacy. These frameworks are complements, not alternatives: learn when to use each and how to combine them.
Passwordless Authentication with Magic Links: How It Works and Why It's Secure
A magic link is a one-time, time-limited URL sent to the user's email: no password required. Learn the security properties a proper implementation must meet, how magic links compare to passwords and passkeys, and common mistakes to avoid.
How to Check Breached Passwords Using the HaveIBeenPwned API in Node.js
Use the HaveIBeenPwned Pwned Passwords API with k-anonymity to detect breached passwords at registration: without sending the password or its full hash to any third party. Only the first 5 SHA-1 hash characters ever leave your server.
What is Threat Modeling and What Are the Methods to Do It?
Threat modeling is proactive security planning: thinking about how someone could break your system before they do. Learn the four foundational questions and frameworks like STRIDE, DREAD, PASTA, and LINDDUN.