Security

2FA is short for Two-Factor Authentication. Two locks instead of one. Password plus a code from your phone (or a hardware key).

AI red teaming is probing AI systems for failures, jailbreaks, and safety bypasses before deployment — break it so users can't.

API Key Rotation is regularly replacing your API keys with new ones. Like changing passwords, but for machine-to-machine authentication.

API security is protecting your APIs from abuse, data leaks, and unauthorized access. It covers authentication (who are you?), authorization (can you do th

An Access Token is your short-lived pass to access an API. It proves you're authenticated and what you're allowed to do.

Asymmetric encryption uses two different keys — one to lock (public key), one to unlock (private key).

Auth0 is the auth service that enterprise companies pay for because it has compliance checkboxes, SAML, and an SLA.

Authentication is proving you are who you say you are.

Authorization is deciding what you're allowed to do after you've proven who you are.

Bcrypt is the gold-standard password hasher that's intentionally slow.

Biometric authentication uses your body as your password — fingerprint, face, iris scan.

Bot Detection figures out if a visitor is a human or a robot. Good bots (Googlebot) are welcome. Bad bots (scrapers, credential stuffers) get blocked.

Brute force is the dumbest but sometimes effective hacking technique — just try every possible password until one works. No creativity needed.

A bug bounty program pays ethical hackers to find security vulnerabilities in your product.

CAPTCHA is that annoying 'select all traffic lights' test that proves you're human.

CORS (Cross-Origin Resource Sharing) is the browser's built-in protection that prevents random websites from making API calls to your backend using the vis...

CSP stands for Content Security Policy.

CSRF (Cross-Site Request Forgery) is when a bad website hijacks your logged-in session on a good website to do things you didn't ask for.

A certificate is a digital ID card for a website, signed by a trusted authority.

A Certificate Authority is like the DMV of the internet — a trusted organization that vouches for websites' identities.

Certificate Pinning means your app only trusts a SPECIFIC certificate, not any cert signed by a trusted CA.

Clerk is auth for developers who hate building auth UI.

Command injection is like SQL injection but worse — instead of attacking your database, the hacker injects shell commands that run on your actual server.

Compliance means following the rules — legal, industry, or governmental standards that say how you must handle data and security.

Container Scanning checks your Docker images for known vulnerabilities in OS packages, libraries, and misconfigurations.

Content Security Policy is an HTTP header that tells the browser exactly where it's allowed to load scripts, images, and other resources from.

CSP tells the browser exactly where scripts, styles, images, and other resources are allowed to load from. If a hacker injects a script pointing to evil.

Cosign is the tool for signing container images, SBOMs, and other artifacts. It's part of the Sigstore project and makes image signing as easy as 'cosign s

Credential Rotation is the practice of regularly changing ALL your secrets — database passwords, API keys, certificates, tokens.

CSRF tricks your browser into making requests to another site while you're logged in.

XSS is when a hacker sneaks their own JavaScript into your website so it runs in other people's browsers.

DAST attacks your running application to find vulnerabilities — like hiring a friendly hacker to poke at your website.

DDoS (Distributed Denial of Service) is when thousands of computers flood your server with so much fake traffic that it can't handle real users.

DDoS Mitigation protects your site from being overwhelmed by millions of fake requests.

Decryption is using the secret decoder ring to turn scrambled gibberish back into a readable message.

Defense in Depth means layering multiple security measures so if one fails, others catch the threat.

Dependency Confusion tricks package managers into downloading a malicious public package instead of your private one.

DevSecOps is the philosophy that security isn't something you bolt on at the end — it's baked into every step of development.

Device Flow is OAuth for devices without a browser or keyboard — smart TVs, CLI tools, IoT devices. The device shows you a code, you go to a URL on your ph

Encoding is converting data into a different format for safe transport or storage — not for security, but to prevent misinterpretation.

Encryption is scrambling your message into gibberish so only someone with the secret decoder ring can read it.

Envelope Encryption is a two-key system: you encrypt your data with a 'data key,' then encrypt that data key with a 'master key.

Escaping means converting special characters into their safe equivalents before putting them in HTML, SQL, or a shell command.

An exploit is the actual tool or technique used to take advantage of a vulnerability.

FIDO2 is the whole framework that makes passwordless authentication work — WebAuthn (browser side) plus CTAP (authenticator side).

Falco is a runtime security tool that watches system calls in your Kubernetes cluster.

Feature Policy (now Permissions Policy) controls which browser features your site and embedded iframes can use. Block camera access? Disable geolocation?

Firebase Auth is Google's 'just add authentication' service. Email/password, Google login, Apple sign-in, phone verification — it handles all of it so you

Firestore Rules are like a very picky nightclub bouncer who checks not just your ID, but also whether you're on the guest list, wearing the right shoes, an

A fork bomb is a program that endlessly copies itself until it eats all system resources and crashes the machine.

GDPR (General Data Protection Regulation) is the EU's big rulebook for protecting people's personal data.

HSM stands for Hardware Security Module — a tamper-proof physical device that manages cryptographic keys. If someone tries to open it, the keys self-destru

HSTS (HTTP Strict Transport Security) tells the browser 'this site is ALWAYS HTTPS, never even try HTTP.

An HSM is a physical device that generates, stores, and uses cryptographic keys without ever exposing them.

HashiCorp Vault is a fortress for your secrets.

Hashing is a one-way blender for data. You throw a password in, it spits out a weird string of letters and numbers, and there's no way to reverse it.

Homomorphic Encryption lets you do math on encrypted data WITHOUT decrypting it.

Image Signing is like putting a wax seal on your Docker images.

Input validation is checking that user input is what you expect before using it.

JWT Security is about not screwing up JSON Web Tokens.

KMS is the cloud service that holds your encryption keys in a hardware vault and does crypto operations for you. Need to encrypt something? Send it to KMS.

A Key Management Service (KMS) manages your encryption keys so you don't have to.

Lucia Auth is the 'I want to understand my auth' library.

MD5 is the old grandpa hash algorithm — fast, but full of holes.

MFA stands for Multi-Factor Authentication. It's the umbrella term for requiring multiple proofs of identity. 2FA is MFA with exactly two factors.

MITM stands for Man-in-the-Middle. An attacker silently sits between your browser and the server, eavesdropping on everything.

A login method where they email you a special link instead of asking for a password. Click the link, you're in.

A man-in-the-middle attack is when a hacker secretly sits between you and the website you're talking to, reading and possibly changing everything you send...

Microsegmentation is network segmentation dialed up to 11. Instead of segmenting by subnet, you create rules for EVERY workload.

Model inversion is reconstructing training data from a trained ML model — the privacy attack that makes ML teams sweat.

MFA is like 2FA but can use more than two factors. Three locks instead of two.

Network Segmentation divides your network into isolated zones. The web servers can't talk to the database directly.

NextAuth is the 'build your own auth but with guardrails' option.

OAuth Scopes define what an app is allowed to do with your account. 'Read your email' is a scope. 'Send email on your behalf' is another.

OAuth2 Proxy sits in front of your app and says 'not logged in? go authenticate first.

OWASP (Open Web Application Security Project) is the internet's biggest security club.

The OWASP API Top 10 is a cheat sheet of the most common ways APIs get hacked.

The OWASP Top 10 is the security industry's greatest hits of web vulnerabilities — the 10 most common, dangerous ways apps get hacked.

PCI DSS is the security standard you must follow if you handle credit card data.

PKCE (pronounced 'pixy') prevents someone from stealing your OAuth authorization code and using it.

Passkeys replace passwords with biometrics (fingerprint, face) or device PINs. No more 'Forgot password?

Passkeys replace passwords with your fingerprint, face, or device PIN. No more remembering 'P@ssw0rd123!' — your phone or laptop IS your password.

Passport.js is the oldest auth library still standing in Node.js.

A password manager remembers all your passwords so you don't have to reuse the same one everywhere.

Penetration testing (pentesting) is hiring ethical hackers to try to break into your own systems before the real bad guys do.

Pentest is just short for penetration testing — the art of ethically hacking your own systems to find weaknesses.

Permissions Policy is Feature Policy's newer, better version. Same concept — control which browser features your site can use.

Phishing is when hackers pretend to be someone you trust — your bank, your boss, Google — to trick you into giving up your password or clicking a bad link.

Principle of Least Privilege means everyone and everything gets only the MINIMUM access needed to do their job. The intern doesn't get admin access.

A private key is the secret key that only YOU keep. It can decrypt messages encrypted with your public key, or sign messages to prove they came from you.

Prompt exfiltration is attacking an AI to leak its system prompt — not hijacking the model's behavior, but stealing its instructions.

A public key is like your open mailbox — anyone can drop a message in it (encrypt data with it), but only you have the key to open the box and read it (you...

Rate Limiting prevents abuse by capping how many requests someone can make. 100 login attempts per minute? Blocked. 1000 API calls per second? Throttled.

A Refresh Token is a long-lived secret that gets you new access tokens without re-logging in.

Runtime Security monitors your applications WHILE they're running.

SAST scans your source code for security bugs WITHOUT running it.

An SBOM (Software Bill of Materials) is a complete ingredient list for your software — every library, framework, and dependency with their exact versions.

SCA checks if the libraries you're using have known vulnerabilities. You didn't write the bug, but you imported it. That lodash version from 2019?

SHA (Secure Hash Algorithm) is a family of blenders for data.

SLSA (pronounced 'salsa') is a framework with levels (1-4) that measure how secure your software supply chain is. Level 1: you have some build process.

SOC 2 is a trust certification for SaaS companies. It proves to enterprise customers that you take security, availability, and privacy seriously.

SQL injection is when a hacker types SQL code into a text field instead of normal text, and your stupid database runs it.

SSL (Secure Sockets Layer) is the old-school version of the lock you see in your browser address bar.

Log in once, access everything. Instead of remembering 47 different passwords for 47 different work apps, you log in to one system (like Google or Okta) an...

A salt is random gibberish you add to a password before hashing it so two people with the same password get completely different hashes.

Sanitization is cleaning up user input before using it — stripping out anything dangerous like script tags or SQL commands.

Secret Scanning checks your code for accidentally committed passwords, API keys, and tokens. Pushed your AWS key to GitHub?

Secure Boot verifies that every piece of software that loads during startup is signed and trusted. Bootloader? Signed. Kernel? Signed. Drivers? Signed. If

A Secure Enclave is a tiny, isolated computer inside your computer that handles the most sensitive stuff — biometric data, encryption keys, payment info.

A security audit is a systematic review of your code, infrastructure, and processes to find security weaknesses.

Security Headers are HTTP response headers that tell browsers 'here's how to protect my users.

Security theater is the stuff that looks secure but doesn't actually stop attackers.

Session hijacking is when an attacker steals your session cookie or token and impersonates you.

Sigstore makes signing software as easy as logging in with your Google account. No managing PGP keys, no key rotation headaches.

Social engineering is hacking people, not computers.

Software Composition Analysis is a fancy name for 'checking your dependencies for known vulnerabilities and license issues.

Subresource Integrity (SRI) adds a hash to your script and link tags. The browser downloads the file, checks the hash, and only executes it if it matches.

A supply chain attack is when a hacker doesn't attack YOU — they attack something you depend on.

Supply Chain Security protects the entire path from code to production — dependencies, build systems, registries, everything.

Symmetric encryption uses the same key to lock and unlock data. Like a house key — whoever has a copy can both lock and unlock the door.

TLS (Transport Layer Security) is the updated, actually-secure version of SSL. It's the technology that puts the padlock in your browser's address bar.

TOTP (Time-based One-Time Password) is the 6-digit code that changes every 30 seconds in apps like Google Authenticator.

TPM is the security chip on your computer's motherboard that stores encryption keys and verifies boot integrity. It's why Windows 11 requires TPM 2.0 — Mic

Token Rotation means regularly replacing your tokens with fresh ones. Old token out, new token in.

A TPM is a security chip on your motherboard that stores encryption keys, certificates, and passwords in tamper-resistant hardware. It verifies that your c

2FA means you need two things to log in: something you know (password) and something you have (your phone).

Typosquatting is when attackers publish malicious packages with names that are one typo away from popular ones. 'lodahs' instead of 'lodash.

HashiCorp Vault is the Fort Knox of secrets management. It stores API keys, passwords, certificates, and encryption keys behind multiple layers of security

A vulnerability is a weakness in your code or system that a bad guy could exploit. Like a broken lock on a door.

WAF stands for Web Application Firewall.

A WAF is a smart firewall that understands web traffic.

WebAuthn is the browser API that makes passkeys work.

A webhook signature is like the wax seal on a medieval letter — it proves the message actually came from who it says it came from and wasn't tampered with.

XSS stands for Cross-Site Scripting. Hackers inject their own JavaScript into your site so when other users visit, the evil script runs in their browser.

Zero trust means 'never trust, always verify' — even if a request comes from inside your network.

A zero-day is a vulnerability that nobody knows about yet — except the person who found it. The name means the vendor has had 'zero days' to fix it.

A Zero-Knowledge Proof lets you prove you know something without revealing what you know. Prove you're over 18 without showing your birthday.

Normal TLS: you check that the website is legit. mTLS: you BOTH check each other. The server verifies your certificate, you verify the server's.