Security glossary

The web security vocabulary, defined clearly.

Name: Barrion
Availability: InStock
Author: Barrion

A short, alphabetical reference for the acronyms that show up in audits, pull-request reviews, and customer security questionnaires. No jargon for jargon's sake.

Get free report See pricing

A to Z

50 terms every web team should recognise.

Each definition is one or two sentences. Where a term has a longer explainer, the heading links to it.

Brute Force Attack: Guessing credentials, tokens, or keys by trying every combination until one works. Defended with rate limiting, account lockouts, strong password hashing, and multi-factor authentication on sensitive logins.
Clickjacking: An attack that loads your site in a transparent iframe over a decoy page so users click buttons they cannot see. Blocked by X-Frame-Options or CSP's frame-ancestors directive.
CORSCross-Origin Resource Sharing: HTTP headers that tell a browser whether JavaScript on origin A can read responses from origin B. Misconfigured CORS (wildcard with credentials, reflecting any Origin) leaks data across sites.
Credential Stuffing: Replaying username and password pairs leaked from other breaches against your login endpoint. Mitigated with multi-factor authentication, breached-password checks, and rate limits on failed attempts per account and IP.
CSPContent Security Policy: A response header that restricts which scripts, styles, frames, and connections a page can load. A strong CSP is the single most effective XSS mitigation in modern browsers.
CSRFCross-Site Request Forgery: An attack where a malicious site triggers state-changing requests in a target app the victim is already logged into. Mitigated with SameSite cookies, anti-CSRF tokens, and Origin checks.
CVECommon Vulnerabilities and Exposures: A public catalogue of disclosed software vulnerabilities, each with a stable identifier (CVE-YYYY-NNNNN). Used by scanners, advisories, and patch notes so everyone refers to the same bug.
CVSSCommon Vulnerability Scoring System: A 0 to 10 severity score for vulnerabilities, broken into base, temporal, and environmental metrics. Useful as a starting point, but real risk also depends on exposure and exploitability in your app.
DASTDynamic Application Security Testing: Testing a running application from the outside, the way an attacker would. Barrion's continuous monitoring is a production-safe DAST that reads what your live app exposes without touching state.
DDoSDistributed Denial of Service: Flooding a target with traffic from many sources to exhaust bandwidth, connections, or CPU. Mitigated with upstream scrubbing services, anycast networks, and aggressive rate limiting at the edge.
Defense in Depth: Layering multiple independent controls so no single failure exposes the system. A WAF, secure code, network segmentation, and audit logging together survive any one of them being bypassed.
DKIMDomainKeys Identified Mail: An email authentication standard that signs outbound messages with a key published in DNS. Receivers verify the signature to confirm the message wasn't forged or modified in transit.
DMARCDomain-based Message Authentication, Reporting & Conformance: Builds on SPF and DKIM. Tells receivers what to do with messages that fail authentication (none, quarantine, reject) and where to send aggregate reports.
DNSSECDNS Security Extensions: Cryptographic signatures on DNS records so resolvers can verify answers haven't been tampered with. Defeats DNS cache poisoning and many spoofing routes.
HSTSHTTP Strict Transport Security: A response header that forces browsers to use HTTPS for your domain for a set duration. Stops SSL-stripping downgrade attacks and accidental http:// links.
HTTPS: HTTP layered over TLS. Encrypts the connection, authenticates the server with a certificate, and protects integrity. The baseline for any production web app.
IDORInsecure Direct Object Reference: An access control bug where an app trusts a user-supplied identifier (an order ID, a file path) without checking ownership. Often exploitable by incrementing a number in a URL.
JWTJSON Web Token: A signed (and optionally encrypted) token format used for stateless authentication. Easy to misuse: pin the algorithm, validate the signature, check expiry, and never accept the alg=none header.
MITMMan-in-the-Middle: An attacker sits between client and server, reading or modifying traffic. TLS with certificate validation defeats it on the network; on hostile Wi-Fi, HSTS and certificate pinning add further protection.
MITRE ATT&CK: A public knowledge base of adversary tactics and techniques observed in real intrusions. Defenders use it to map detection coverage, run purple-team exercises, and describe incidents in shared language.
Mixed Content: An HTTPS page that loads sub-resources (scripts, images, iframes) over plain HTTP. Browsers block active mixed content and warn on passive. Breaks the trust HTTPS is supposed to provide.
OWASPOpen Worldwide Application Security Project: A non-profit community that publishes free application-security resources, including the OWASP Top 10, ASVS, and the ZAP scanner. Vendor-neutral and widely cited in audits.
Path Traversal: Tricking a file-handling endpoint into reading or writing outside its intended directory by sending ../ sequences or absolute paths. Mitigated by validating against an allow-list and resolving paths before checks.
PCI DSSPayment Card Industry Data Security Standard: The compliance regime for anyone storing, processing, or transmitting cardholder data. Requirements 6 and 11 cover secure development and continuous vulnerability management.
Penetration Testing: A scoped, time-boxed engagement where testers actively try to exploit an app, network, or device. Produces a report of confirmed findings, severity, and remediation, often required for SOC 2 and PCI.
Permissions-Policy: A response header that allow-lists which browser features (camera, microphone, geolocation, payment, FLoC) a page and its iframes can use. Replaces the older Feature-Policy header.
Phishing: Social-engineering attacks that trick users into handing over credentials, tokens, or money, usually via spoofed email or lookalike domains. SPF, DKIM, DMARC, and phishing-resistant MFA cut the blast radius.
Principle of Least Privilege: Every user, service, and process gets only the permissions it needs to do its job, and nothing more. Limits the damage of stolen credentials, buggy code, and insider mistakes.
Privilege Escalation: Turning limited access into broader access, either vertically (user becomes admin) or horizontally (user A reads user B's data). Often chained with another bug to complete a breach.
Rate Limiting: Capping how often a client can hit an endpoint within a time window. Blunts brute force, credential stuffing, scraping, and accidental traffic spikes from buggy clients.
Referrer-Policy: Controls how much of the Referer URL the browser sends on outbound requests. Tight policies (no-referrer, strict-origin-when-cross-origin) avoid leaking session tokens or internal paths.
Same-Origin Policy: The browser rule that scripts loaded from one origin (scheme, host, port) cannot read responses from another. The foundation that CORS, postMessage, and cookies all sit on top of.
SameSite Cookie: A cookie attribute (Lax, Strict, None) that controls whether cookies are sent on cross-site requests. SameSite=Lax by default kills most CSRF vectors with no code changes.
SAMLSecurity Assertion Markup Language: An XML-based standard for SSO between an identity provider and a service provider. The lingua franca of enterprise single sign-on, alongside OIDC.
SASTStatic Application Security Testing: Analysing source code (or compiled artefacts) without running it, to find bugs like injection, hardcoded secrets, or unsafe APIs. Barrion's SAST runs on GitHub PRs with framework-aware rules.
Secrets Management: Keeping API keys, database passwords, and signing keys out of source code and CI logs, and rotating them when staff or services change. Use a vault, scoped tokens, and short lifetimes.
SIEMSecurity Information and Event Management: A platform that collects logs from apps, servers, and network gear, correlates them, and raises alerts on suspicious patterns. The hub most SOC teams investigate incidents from.
SOC 2Service Organization Control 2: An AICPA audit framework for SaaS providers covering security, availability, processing integrity, confidentiality, and privacy. CC6.x maps directly to continuous vulnerability monitoring.
SPFSender Policy Framework: A TXT record in DNS listing the mail servers allowed to send for your domain. Receivers reject mail from anywhere else. Pairs with DKIM and DMARC.
SQL Injection: Injecting attacker-controlled SQL into a query because user input was concatenated into the statement. Mitigated with parameterised queries or an ORM, never string concatenation, plus least-privilege database accounts.
SSRFServer-Side Request Forgery: Tricking a server into making outbound HTTP requests it shouldn't, typically to internal-only services or cloud metadata endpoints (169.254.169.254). A staple of cloud breaches.
Subdomain Takeover: A dangling CNAME or NS record points at a third-party service (Heroku, S3, GitHub Pages) you no longer own. Anyone who registers the underlying resource controls your subdomain.
Threat Modeling: Sitting down before you ship and asking what can go wrong, who would do it, and what you will do about it. STRIDE and attack trees are the usual structures.
TLSTransport Layer Security: The cryptographic protocol underneath HTTPS. Modern deployments should serve TLS 1.2 and 1.3 only, disable export ciphers and RC4, and keep certificates valid and well before expiry.
WAFWeb Application Firewall: A filter (often cloud-based) that inspects HTTP requests and blocks known attack patterns before they reach your origin. Useful, but not a substitute for fixing the underlying bug.
X-Frame-Options: A legacy response header (DENY or SAMEORIGIN) that stops other sites from embedding yours in an iframe. Defeats clickjacking. CSP's frame-ancestors directive is the modern equivalent.
XSSCross-Site Scripting: Injecting attacker-controlled JavaScript into a page so it runs in someone else's session. Mitigated by output encoding, a strict CSP, and avoiding innerHTML on untrusted data.
XXEXML External Entity: An XML parser bug where external entity references let an attacker read local files, hit internal services, or trigger denial of service. Fixed by disabling DTDs and external entities in the parser.
Zero-Day Vulnerability: A flaw exploited in the wild before the vendor has a patch available. Defenders rely on virtual patching at the WAF, behavioural detection, and quick rollouts once a fix lands.
Zero Trust: An architecture that assumes the network is hostile and authenticates every request on identity, device posture, and context, rather than trusting anything because it sits behind a firewall.

FAQ

Glossary, explained.

Why does Barrion publish a security glossary?

Most security tooling assumes you already know the vocabulary. We don't. Every Barrion finding links to the term it references, so engineers shipping their first fix can read the definition, the why, and the remediation in one place without context-switching to a different site.

Which of these does Barrion actually check?

All of the configuration-level items (TLS, HSTS, HTTPS, CSP, CORS, X-Frame-Options, Referrer-Policy, Permissions-Policy, mixed content, SPF, DKIM, DMARC, DNSSEC, subdomain takeover candidates) are continuously monitored in the DAST product. Code-level patterns (XSS, SQL injection, IDOR, SSRF) are covered by SAST on GitHub PRs and by the AI pentesting product. Compliance frameworks (SOC 2, PCI DSS) drive the report templates and control mappings.

Where can I read more about a specific term?

Many entries link to a longer /learn page with what the check is, why it matters, and how Barrion checks it. If a term doesn't have a link yet, the definition here is enough to use in a code review or a customer security questionnaire.

How often do these definitions change?

The underlying standards (CSP, TLS, DMARC) evolve slowly, on the order of years. We refresh the glossary whenever a major spec update lands, when browser behaviour shifts (for example, the move from Feature-Policy to Permissions-Policy), or when a term shows up in enough customer questions to warrant clarification.

See these terms applied to your app.

Run a free Barrion scan and get a report that names the specific headers, certificates, and DNS records you should care about, with step-by-step fixes.

Get free report See pricing