Web Security
22 articles
HTTP Security Headers Explained: How to Check and Grade Yours
A plain-English guide to the HTTP security headers that protect your site — HSTS, CSP, X-Content-Type-Options and more — how to check which you have, and how they are graded.
How to Check a Website for Malware
A practical guide to checking any website for malware: the free external scanners to use, the signs of infection, server-side checks, and what to do next.
What Is a Data Breach and How to Respond
A plain-English guide to data breaches: what counts as one, the common causes, a step-by-step incident-response plan, the GDPR 72-hour rule, and prevention.
How to Protect Your Website from Bots and Scrapers
Not all bots are bad. Tell good crawlers from abusive scrapers, spot the signals of bot traffic, and layer rate limiting, CAPTCHA, a WAF and bot management.
What Is Cross-Site Scripting (XSS) and How to Prevent It
A defensive guide to cross-site scripting: the three types explained, plus the layered prevention that stops it — output encoding, CSP and framework escaping.
What Is Cross-Site Request Forgery (CSRF)?
CSRF tricks a logged-in user's browser into sending an unwanted request. Learn the concept and defences: anti-CSRF tokens, SameSite cookies and origin checks.
What Is Clickjacking and How to Prevent It
Clickjacking tricks users into clicking hidden controls via invisible frames. Learn how to check if your site is framable and the defences that stop it.
How to Create a security.txt File
A practical guide to security.txt: the RFC 9116 file that tells security researchers how to report vulnerabilities. Fields, an example, and validation.
What Is Two-Factor Authentication (2FA) and Why Use It
A clear guide to two-factor authentication: the three factor types, methods ranked from SMS to passkeys, and why 2FA stops phishing and credential-stuffing.
What Is a Web Application Firewall (WAF)?
A plain-English guide to web application firewalls: what a WAF filters, the deployment types, OWASP rule sets, false positives, and when a site needs one.
What Is Subresource Integrity (SRI)?
A practical guide to Subresource Integrity: how the integrity attribute and a hash verify third-party scripts, generating hashes, and what its limits are.
What Is CORS and How Does It Work?
A clear guide to CORS and the same-origin policy: simple vs preflight requests, the Access-Control headers, credentials, the wildcard pitfall, and risks.
How to Secure Cookies with HttpOnly, Secure, and SameSite
How to harden cookies with the HttpOnly, Secure and SameSite attributes, plus Path, Domain and the prefixes — and how to inspect them in browser DevTools.
What Is HSTS and How to Enable It
A practical guide to HTTP Strict Transport Security: how HSTS forces HTTPS, blocks SSL-stripping and downgrade attacks, its directives, and how to enable it.
What Is DNSSEC and Should You Enable It?
A clear guide to DNSSEC: how cryptographic signatures protect DNS from spoofing, what it does and does not do, how to check it, and whether to enable it.
How to Protect Your Website from Common Attacks
A defensive walkthrough of the OWASP Top 10 risks, and how site owners actually defend against them: validation, access control, patching and headers.
What Is HTTPS and Why Your Site Needs It
A clear guide to HTTPS: what TLS encryption protects, why it matters for privacy, trust and SEO, how HSTS and redirects work, and how to verify yours.
How to Tell if a Website Has Been Hacked
Spot a compromised website: redirects, injected spam, malware warnings and rogue admin users. How to check externally, and what to do if you are hacked.
What Is a Content Security Policy (CSP) and How to Set One
A practical guide to Content Security Policy: the header that limits which sources can load on your site, mitigates XSS, and how to roll one out safely.
What Is an SSL Certificate and How to Check Yours
A plain-English guide to SSL/TLS certificates: what they prove, how the trust chain works, the types (DV, OV, EV), and exactly how to check your site.
Is This Website Safe? How to Check a Site Before You Trust It
A practical checklist for deciding whether a website is safe before you shop, sign up or share data — from HTTPS and reputation to phishing red flags and privacy.
SPF, DKIM and DMARC Explained: How to Check Your Email Security
A clear guide to the three records that protect your domain from email spoofing — SPF, DKIM and DMARC — what each does, how they work together, and how to check yours.