Practical Web Security Guides for Developers
Understand the vulnerabilities that matter most, how attackers exploit them, and the concrete steps you can take to eliminate them. Covering OWASP Top 10, API security, authentication, and more.
Security topics covered
Each guide focuses on a specific vulnerability class — what it is, how it is exploited, and how to fix it.
Injection Attacks
SQL injection, command injection, and LDAP injection remain the most damaging vulnerability class. Learn how attackers exploit unsanitised input and how parameterised queries eliminate the risk entirely.
- SQL Injection (SQLi)
- Command Injection
- LDAP Injection
- NoSQL Injection
- Parameterised queries
Cross-Site Scripting (XSS)
XSS lets attackers run JavaScript in your users' browsers. Understand the difference between reflected, stored, and DOM-based XSS — and why output encoding and CSP are your primary defences.
- Reflected XSS
- Stored XSS
- DOM-based XSS
- Content Security Policy
- Output encoding
Authentication & Session Security
Broken authentication is responsible for widespread account takeovers. This guide covers secure session management, credential storage, MFA implementation, and protecting against brute-force attacks.
- Session token entropy
- Secure cookie flags
- Multi-factor authentication
- Password hashing (bcrypt/argon2)
- Brute-force protection
Broken Access Control
The #1 category in OWASP Top 10. Learn how attackers exploit missing authorisation checks to access data and functions they should not — and how to implement robust server-side enforcement.
- Insecure Direct Object References (IDOR)
- Privilege escalation
- Forced browsing
- JWT misconfigurations
- Server-side authorisation
Security Misconfiguration
Default credentials, verbose error messages, open cloud storage buckets, and missing security headers are all forms of misconfiguration. Understand what attackers look for and how to harden your stack.
- Security headers (CSP, HSTS, X-Frame-Options)
- TLS/SSL configuration
- Cloud storage permissions
- Error message exposure
- Default credentials
API Security
Modern applications expose vast API attack surfaces. This guide covers REST and GraphQL-specific risks: mass assignment, excessive data exposure, missing rate limiting, and insecure authentication patterns.
- Mass assignment / over-posting
- Excessive data exposure
- Rate limiting & throttling
- GraphQL introspection risks
- API key management
Eight quick wins that close the most common attack paths
Before diving into deep-dive guides, these eight controls address the majority of opportunistic attacks. Most take under an hour to implement and require no architectural changes.
Enable HTTPS everywhere and set HSTS with a long max-age
Set Secure, HttpOnly, and SameSite=Strict on all session cookies
Add a Content Security Policy header to block XSS execution
Use parameterised queries — never concatenate SQL strings
Enforce server-side authorisation on every request, not just the UI
Rotate and scope API keys; never commit secrets to version control
Disable directory listing and suppress detailed error messages in production
Keep dependencies updated and scan them for known CVEs regularly
Stop checking manually — let Mythos find the gaps
Reading guides builds understanding. Mythos puts that understanding to work — scanning your application for each vulnerability class covered here, returning a prioritised list of findings in under 60 seconds. No configuration required.