Web app security, explained

Plain-English guides to the issues AppSafe checks for — what each one is, why it matters, and exactly how to fix it.

Security Headers

High

Content-Security-Policy (CSP): what it is and how to add one

The header that stops injected scripts from running.

High

HTTP Strict Transport Security (HSTS) explained

Force every connection to use HTTPS — even the first one.

Medium

Clickjacking and X-Frame-Options: keep your pages out of iframes

One header stops attackers from overlaying your app inside an iframe.

Misconfigurations

Critical

Exposed .env files: how attackers find your secrets

A single reachable .env can hand over your whole stack.

High

CORS misconfiguration: the wildcard and reflection traps

Allow every origin and any site can read your API.

High

Source maps in production leak your source code

Shipped .map files hand over your original source.

Exposed Secrets

Critical

API keys exposed in client-side JavaScript

Anything in your bundle is public. Treat it that way.

DNS & Email Security

High

Subdomain takeover: how it happens and how to prevent it

A dangling CNAME is an open door on your domain.

Medium

SPF and DMARC: stop email spoofing of your domain

Stop attackers from emailing the world as you.

Cookie Security

High

Secure, HttpOnly, and SameSite cookie flags

Three flags that keep session cookies from being stolen.

Redirect Chain

High

Why your site needs an HTTP→HTTPS redirect

Don't leave the insecure door open.

Check your own app for these issues

Run a free scan and get a graded report with fixes in seconds.

Scan my app free
Learn — Web App Security Guides | AppSafe