Web Security Glossary

An SSL (Secure Sockets Layer) certificate is a digital credential that authenticates a website's identity and enables encrypted connections.

Transport Layer Security (TLS) is the cryptographic protocol that secures communication over the internet, replacing the older SSL protocol.

HTTPS (HyperText Transfer Protocol Secure) is the encrypted version of HTTP, using TLS to secure data between a browser and a web server.

HTTP Strict Transport Security (HSTS) is a security policy mechanism that instructs browsers to only connect to a site over HTTPS, never HTTP.

HTTP/2 is the second major version of the HTTP network protocol, designed to improve web performance through multiplexing, header compression, and server push.

HTTP/3 is the third major version of HTTP, built on QUIC (a UDP-based transport protocol) rather than TCP.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication policy that builds on SPF and DKIM to tell receiving mail servers what to do with emails that fail authentication checks.

Sender Policy Framework (SPF) is an email authentication method that specifies which mail servers are authorized to send email on behalf of a domain.

DomainKeys Identified Mail (DKIM) adds a cryptographic signature to outgoing email headers, allowing receiving servers to verify that the email was sent by an authorized sender and has not been altered in transit.

DNS Security Extensions (DNSSEC) adds cryptographic signatures to DNS records, allowing resolvers to verify that DNS responses have not been tampered with.

SMTP MTA Strict Transport Security (MTA-STS) is an email security standard that enables mail servers to declare their ability to receive TLS-encrypted email and specify whether sending servers should refuse to deliver to MX hosts that don't offer TLS.

Brand Indicators for Message Identification (BIMI) is an email specification that allows brands to display their logo in the email client's inbox next to authenticated messages.

Cross-Origin Resource Sharing (CORS) is a browser security mechanism that restricts web pages from making requests to a different domain than the one that served the page.

Cross-Site Request Forgery (CSRF) is an attack where a malicious website tricks a user's browser into sending authenticated requests to another site where the user is logged in.

Cross-Site Scripting (XSS) is a web vulnerability where attackers inject malicious scripts into content that is then executed in victims' browsers.

SQL Injection is an attack where malicious SQL statements are inserted into input fields to manipulate a database query.

Insecure Direct Object Reference (IDOR) is an access control vulnerability where an application exposes internal object references (like database IDs) without verifying that the requesting user is authorized to access that object.

Server-Side Request Forgery (SSRF) is a vulnerability where an attacker can make the server initiate requests to arbitrary URLs, including internal services not accessible from the internet.

Remote Code Execution (RCE) is a critical class of vulnerability that allows an attacker to run arbitrary code on a target server or system.

Local File Inclusion (LFI) is a vulnerability that allows an attacker to include files from the server's local filesystem through a web application, often by manipulating a file path parameter.

A path traversal attack (also known as directory traversal) uses sequences like .

Clickjacking is an attack where a malicious page embeds a legitimate site in an invisible iframe and tricks users into clicking on its controls while thinking they're interacting with the malicious page.

An open redirect vulnerability allows an attacker to craft a URL on a trusted domain that redirects users to an arbitrary external URL.

XML External Entity (XXE) injection is a vulnerability that exploits weakly configured XML parsers that process external entity references.

Insecure deserialization occurs when an application deserializes untrusted data without proper validation, potentially allowing attackers to manipulate serialized objects to achieve arbitrary code execution, authentication bypass, or data tampering.

Prototype pollution is a JavaScript-specific vulnerability where an attacker can inject properties into the Object.

JSON Web Token (JWT) is a compact, URL-safe token format used to represent claims between two parties, commonly used for authentication and authorization.

OAuth 2.

Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP).

Single Sign-On (SSO) is an authentication scheme that allows users to log in once and gain access to multiple related applications without re-entering credentials.

Multi-Factor Authentication (MFA) requires users to verify their identity using two or more factors: something they know (password), something they have (phone/hardware key), or something they are (biometric).

Time-based One-Time Password (TOTP) is an MFA mechanism that generates a 6-digit code using a shared secret and the current time, rotating every 30 seconds.

Web Authentication (WebAuthn) is a W3C standard that enables password-less or second-factor authentication using public-key cryptography and hardware authenticators like security keys (YubiKey) or platform authenticators (Face ID, Touch ID).

Passkeys are a FIDO2/WebAuthn-based credential that replace passwords entirely, using device-stored cryptographic keys synced via iCloud Keychain, Google Password Manager, or similar.

An API key is a simple secret token used to authenticate requests to an API, typically passed as a query parameter or HTTP header.

A bearer token is an access token passed in the HTTP Authorization header as "Authorization: Bearer <token>".

A session cookie is a small piece of data stored in the browser that the server uses to identify an authenticated user's session.

The HttpOnly flag is a cookie attribute that prevents JavaScript from accessing the cookie via document.

The SameSite cookie attribute controls when cookies are sent with cross-site requests, providing protection against CSRF attacks.

The Secure flag on a cookie instructs browsers to only send the cookie over HTTPS connections, never over plain HTTP.

Content Security Policy (CSP) is an HTTP response header that tells browsers which sources of content (scripts, styles, images, etc.

X-Frame-Options is an HTTP response header that controls whether a page can be embedded in an iframe on another site.

X-Content-Type-Options is an HTTP header with one valid value: nosniff.

The Referrer-Policy HTTP header controls how much referrer information is included in requests made from your site to other sites.

Permissions-Policy (formerly Feature-Policy) is an HTTP header that allows a site to control which browser features and APIs can be used, both by the page itself and by embedded iframes.

SOC 2 (Service Organization Control 2) is an auditing framework developed by the AICPA that evaluates how service organizations manage customer data across five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

The General Data Protection Regulation (GDPR) is a comprehensive EU privacy law that governs how organizations collect, process, and store personal data of EU residents.

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that establishes standards for protecting sensitive patient health information (PHI).

The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards required by card brands (Visa, Mastercard, etc.

ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS), providing a framework for establishing, implementing, maintaining, and continually improving information security practices.

The Federal Risk and Authorization Management Program (FedRAMP) is a US government program that standardizes security assessments and authorizations for cloud products and services used by federal agencies.

The Cybersecurity Maturity Model Certification (CMMC) is a US Department of Defense framework that requires defense contractors to implement specific cybersecurity practices based on the sensitivity of controlled unclassified information (CUI) they handle.

Penetration testing (pen testing) is a simulated cyberattack performed by authorized security professionals to discover exploitable vulnerabilities in systems, applications, or networks before real attackers do.

Vulnerability scanning is an automated process of identifying known security weaknesses in systems, applications, and networks using a database of known vulnerabilities (CVEs).

The Common Vulnerability Scoring System (CVSS) is a standardized framework for rating the severity of security vulnerabilities on a scale of 0–10.

Common Vulnerabilities and Exposures (CVE) is a standardized system for identifying and naming publicly known security vulnerabilities.

A zero-day vulnerability is a security flaw that is unknown to the vendor or has no available patch, giving defenders "zero days" to prepare.

An N-day vulnerability is a known vulnerability for which a patch has been released but organizations have not yet applied.

Zero Trust is a security model based on the principle "never trust, always verify" — assuming no user, device, or network segment is inherently trusted, even inside the corporate perimeter.

The principle of least privilege states that users, processes, and systems should be granted only the minimum access rights needed to perform their function, and no more.

Defense in depth is a security strategy that layers multiple defensive mechanisms so that if one control fails, others remain to prevent or limit the impact of an attack.

Security by design means building security into systems from the earliest design stages rather than adding it as an afterthought.

Encryption at rest refers to encrypting data when it is stored, protecting it from unauthorized access if physical media is lost or stolen or if a cloud storage bucket is misconfigured.

Encryption in transit protects data as it moves between systems, preventing interception by network attackers.

Key management refers to the processes and systems for generating, storing, distributing, rotating, and revoking cryptographic keys.

A Hardware Security Module (HSM) is a physical computing device that safeguards and manages cryptographic keys within a tamper-resistant hardware environment.

A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of all components, libraries, and dependencies included in a software product, analogous to an ingredient list for food.

Software supply chain security encompasses the practices, policies, and tools used to protect the integrity of code and components throughout the software development lifecycle — from source code and build systems to package repositories and deployment pipelines.

Dependency confusion is a supply chain attack where an attacker publishes a malicious package to a public registry (npm, PyPI, RubyGems) using the same name as an internal private package.

Typosquatting is a type of attack where adversaries register domain names or publish packages with names similar to legitimate ones, betting that users will accidentally use the malicious version due to typos.

A subdomain takeover occurs when a DNS record points to an external service (like a deprovisioned Heroku app, GitHub Pages site, or S3 bucket) that an attacker can claim.

DNS hijacking is an attack where an attacker modifies DNS records to redirect traffic to a malicious server.

DNS cache poisoning (also known as DNS spoofing) is an attack where forged DNS responses are inserted into a resolver's cache, causing it to return malicious IP addresses for legitimate domains.

ARP spoofing (or ARP poisoning) is a local network attack where an attacker sends fake ARP (Address Resolution Protocol) messages to associate their MAC address with a legitimate IP address, enabling man-in-the-middle attacks on the local network.

A Web Application Firewall (WAF) inspects HTTP/S traffic between a web application and the internet, blocking common attacks like SQL injection, XSS, CSRF, and bot traffic.

Rate limiting controls how many requests a user or IP address can make to an API or web application within a given time window, protecting against brute-force attacks, credential stuffing, scraping, and denial-of-service.

A Distributed Denial of Service (DDoS) attack floods a target server, service, or network with traffic from multiple sources to overwhelm its capacity and make it unavailable to legitimate users.

CDN (Content Delivery Network) security refers to the security capabilities provided by CDN providers, including DDoS mitigation, WAF, bot management, TLS termination, and edge caching.

TLS termination is the process of decrypting TLS-encrypted traffic at a load balancer, reverse proxy, or CDN edge node, before forwarding the decrypted request to backend servers.

Incident response (IR) is the organized approach to detecting, containing, eradicating, and recovering from cybersecurity incidents.

Security Information and Event Management (SIEM) is a platform that aggregates and correlates log data from across an organization's infrastructure to detect security threats and anomalies in real time.

A Security Operations Center (SOC) is a team or facility of security analysts responsible for continuously monitoring and responding to cybersecurity threats.

Threat intelligence is evidence-based knowledge about existing or emerging threats, including attacker tactics, techniques, procedures (TTPs), indicators of compromise (IOCs), and threat actor profiles.

An Indicator of Compromise (IOC) is a piece of forensic data or artifact that suggests a system may have been breached or is under attack.

An Indicator of Attack (IOA) focuses on detecting the behaviors and intent of an attacker in progress, rather than the artifacts they leave behind.