Web Security Glossary

Certificate Authority

A Certificate Authority is a trusted organization that issues digital certificates. The CA verifies ...

Certificate Chain of Trust

A certificate chain (or chain of trust) is the ordered list of certificates from the server's end-en...

Certificate Pinning / HPKP

Certificate pinning restricts which certificates a client accepts for a specific domain by binding (...

Certificate Revocation List

A Certificate Revocation List is a list published by a Certificate Authority containing the serial n...

Certificate Transparency

Certificate Transparency is an open framework for monitoring and auditing SSL certificate issuance. ...

Cipher Suite

A cipher suite is a set of cryptographic algorithms used together to secure a TLS connection. It spe...

Domain Validation Certificate

A Domain Validation certificate is the most basic type of SSL certificate. The CA only verifies that...

Extended Validation Certificate

An Extended Validation (EV) certificate requires the CA to perform thorough verification of the requ...

Hypertext Transfer Protocol Secure

HTTPS is HTTP layered over a TLS connection. It provides encrypted communication and secure identifi...

Intermediate Certificate

An intermediate certificate sits between the root certificate and the end-entity (server) certificat...

Let's Encrypt

Let's Encrypt is a free, automated, and open Certificate Authority run by the Internet Security Rese...

Mixed Content

Mixed content occurs when an HTTPS page loads sub-resources (images, scripts, stylesheets, iframes) ...

OCSP Stapling

OCSP stapling is a technique where the web server fetches the OCSP response from the CA and includes...

Online Certificate Status Protocol

OCSP is a protocol used to check the revocation status of an SSL certificate in real time. Instead o...

Organization Validation Certificate

An Organization Validation certificate requires the CA to verify that the requesting organization le...

Perfect Forward Secrecy

Perfect Forward Secrecy (PFS) is a property of key exchange protocols that generates a unique sessio...

Root Certificate

A root certificate is a self-signed certificate issued by a root Certificate Authority. It sits at t...

SSL Certificate Expiry

SSL certificate expiry refers to the date after which an SSL certificate is no longer valid. When a ...

SSL/TLS Certificate

A digital certificate that authenticates a website's identity and enables an encrypted connection be...

SSL/TLS Handshake

The SSL/TLS handshake is the process by which a client and server establish an encrypted connection....

Subject Alternative Name Certificate

A SAN (Subject Alternative Name) certificate can secure multiple distinct domain names and subdomain...

TLS 1.2

TLS 1.2 is a widely deployed version of the Transport Layer Security protocol, defined in RFC 5246 (...

TLS 1.3

TLS 1.3 is the latest version of the Transport Layer Security protocol, finalized in 2018 (RFC 8446)...

Transport Layer Security

Transport Layer Security is the cryptographic protocol that provides secure communication over a com...

Wildcard SSL Certificate

A wildcard certificate secures a domain and all its first-level subdomains using a single certificat...

A Record (Address Record)

An A record maps a domain name to an IPv4 address. It is the most fundamental DNS record type, direc...

AAAA Record (IPv6 Address Record)

An AAAA record maps a domain name to an IPv6 address. It serves the same purpose as an A record but ...

Apex Domain / Root Domain

The apex domain (also called root domain, bare domain, or naked domain) is the domain without any su...

CAA Record (Certification Authority Authorization)

A CAA record specifies which Certificate Authorities are authorized to issue SSL certificates for a ...

CNAME Record (Canonical Name Record)

A CNAME record maps one domain name to another domain name (the canonical name). When a DNS resolver...

DNS Amplification Attack

A DNS amplification attack is a type of distributed denial-of-service (DDoS) attack that exploits op...

DNS Failover

DNS failover is a technique that automatically redirects traffic away from a failed server by changi...

DNS Hijacking

DNS hijacking is an attack where DNS queries are redirected to return incorrect IP addresses, sendin...

DNS over HTTPS

DNS over HTTPS (DoH) encrypts DNS queries by sending them inside regular HTTPS requests to a DoH-com...

DNS over TLS

DNS over TLS (DoT) encrypts DNS queries by wrapping them in a TLS connection on port 853. Like DNS o...

DNS Propagation

DNS propagation is the process by which DNS record changes spread across the global network of DNS r...

DNS Security Extensions

DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify that a DNS respons...

DNS Spoofing / Cache Poisoning

DNS cache poisoning (also called DNS spoofing) is an attack where a malicious actor injects forged D...

DNS Zone

A DNS zone is a distinct portion of the DNS namespace managed by a specific entity. A zone contains ...

Domain Name System

The Domain Name System is the internet's directory service that translates human-readable domain nam...

MX Record (Mail Exchange Record)

An MX record specifies the mail server responsible for receiving email on behalf of a domain. Each M...

Nameserver

A nameserver is a server that stores DNS records and responds to DNS queries. Authoritative nameserv...

NS Record (Nameserver Record)

NS records specify which nameservers are authoritative for a domain. They delegate DNS resolution to...

PTR Record (Pointer Record)

A PTR record provides reverse DNS lookup, mapping an IP address back to a domain name. It is the opp...

Reverse DNS

Reverse DNS maps an IP address back to a hostname, the opposite of a standard (forward) DNS lookup. ...

SOA Record (Start of Authority)

The SOA record identifies the primary nameserver for a DNS zone, the email of the zone administrator...

SRV Record (Service Record)

An SRV record specifies the hostname and port number of servers for specific services. Unlike A reco...

Subdomain

A subdomain is a domain that is part of a larger domain in the DNS hierarchy. For example, blog.exam...

Time to Live

TTL (Time to Live) is a value in DNS records that specifies how long (in seconds) a resolver should ...

TXT Record (Text Record)

A TXT record allows domain administrators to store arbitrary text data in DNS. Originally intended f...

block-all-mixed-content CSP Directive

The block-all-mixed-content CSP directive prevents the browser from loading any HTTP resources on an...

Cache-Control for Security

Cache-Control headers can be used for security by preventing sensitive pages from being stored in br...

Clear-Site-Data Header

The Clear-Site-Data header instructs the browser to clear stored data associated with the requesting...

Content Security Policy

Content Security Policy is a security header that controls which resources (scripts, styles, images,...

Cross-Origin Embedder Policy

Cross-Origin Embedder Policy (COEP) controls whether a page can load cross-origin resources that do ...

Cross-Origin Opener Policy

Cross-Origin Opener Policy (COOP) controls how your page interacts with windows opened from it (popu...

Cross-Origin Resource Policy

Cross-Origin Resource Policy (CORP) is a header set on individual resources (images, scripts, etc.) ...

Cross-Origin Resource Sharing

CORS is a browser security mechanism that controls which external domains can make requests to your ...

Expect-CT

Expect-CT was a security header that instructed browsers to verify Certificate Transparency complian...

Feature-Policy (Deprecated)

Feature-Policy was a security header that controlled which browser features and APIs a page could us...

frame-ancestors CSP Directive

The frame-ancestors CSP directive specifies which origins are allowed to embed the current page in a...

HTTP Strict Transport Security

HSTS is a security header that instructs browsers to only connect to a website over HTTPS, never ove...

Network Error Logging

Network Error Logging (NEL) is a browser feature that reports network-level errors (DNS failures, TC...

Nonce-Based Content Security Policy

A nonce-based CSP uses a random, single-use token (nonce) generated by the server for each page load...

Permissions-Policy

Permissions-Policy (formerly Feature-Policy) is a security header that controls which browser featur...

Referrer-Policy

Referrer-Policy controls how much referrer information (the URL of the previous page) the browser in...

report-uri and report-to Directives

The report-uri and report-to directives specify where the browser should send reports when security ...

strict-dynamic CSP Directive

The 'strict-dynamic' CSP directive allows scripts loaded by an already trusted script to execute, wi...

upgrade-insecure-requests CSP Directive

The upgrade-insecure-requests CSP directive instructs the browser to automatically upgrade HTTP reso...

X-Content-Type-Options

X-Content-Type-Options is a security header with a single valid value: nosniff. It prevents browsers...

X-DNS-Prefetch-Control

X-DNS-Prefetch-Control controls whether the browser performs DNS prefetching - proactively resolving...

X-Download-Options

X-Download-Options is a Microsoft-specific header with a single value: noopen. It prevents Internet ...

X-Frame-Options

X-Frame-Options is a security header that controls whether a browser should allow a page to be rende...

X-Permitted-Cross-Domain-Policies

X-Permitted-Cross-Domain-Policies controls whether Adobe Flash and Adobe Acrobat can load data from ...

X-XSS-Protection

X-XSS-Protection was a security header that controlled the browser's built-in XSS filtering mechanis...

Authenticated Received Chain

ARC (Authenticated Received Chain) preserves email authentication results across intermediary mail s...

Brand Indicators for Message Identification

BIMI is an email standard that allows brands to display their verified logo next to authenticated em...

DKIM Alignment

DKIM alignment means the domain used in the DKIM signature (the d= field) matches the domain in the ...

DKIM Selector

A DKIM selector is a string used to locate the DKIM public key in DNS. The public key is published a...

DMARC Aggregate Reports (rua)

DMARC aggregate reports (rua) are XML reports sent by receiving mail servers to the email address sp...

DMARC Forensic Reports (ruf)

DMARC forensic reports (ruf) are detailed reports about individual emails that fail DMARC authentica...

DMARC Policy Types

DMARC policies (p=none, p=quarantine, p=reject) instruct receiving mail servers on how to handle ema...

DMARC Quarantine Policy

The DMARC quarantine policy (p=quarantine) instructs receiving mail servers to treat emails failing ...

DMARC Reject Policy

The DMARC reject policy (p=reject) instructs receiving mail servers to refuse delivery of emails tha...

Domain-based Message Authentication, Reporting and Conformance

DMARC is an email authentication protocol that builds on SPF and DKIM by adding a policy layer and r...

DomainKeys Identified Mail

DKIM is an email authentication method that adds a digital signature to outgoing emails. The sending...

Email Deliverability

Email deliverability is the ability of your emails to successfully reach recipients' inboxes rather ...

Email Spoofing

Email spoofing is the practice of sending email with a forged sender address. Because the SMTP proto...

Phishing

Phishing is a social engineering attack where attackers impersonate a trusted entity to trick victim...

Sender Policy Framework

SPF is an email authentication protocol that allows domain owners to specify which mail servers are ...

SMTP MTA Strict Transport Security

MTA-STS is a security standard that enables mail servers to declare that they support TLS for email ...

SPF 10 DNS Lookup Limit

The SPF specification (RFC 7208) limits SPF record evaluation to a maximum of 10 DNS lookups. Mechan...

SPF Alignment

SPF alignment means the domain in the email's envelope sender (Return-Path) matches the domain in th...

SPF Record Syntax

An SPF record is a TXT record in DNS that defines the authorized sending sources for a domain's emai...

TLS Reporting

TLS-RPT (SMTP TLS Reporting) is a standard that allows mail servers to report TLS connection failure...

API Key Exposure

API key exposure occurs when secret API keys, authentication tokens, or credentials are accidentally...

Brute Force Attack

A brute force attack is a trial-and-error method where an attacker systematically tries every possib...

Clickjacking

Clickjacking is an attack where a malicious website embeds a target site in a transparent iframe and...

Common Vulnerabilities and Exposures

CVE is a standardized system for identifying and naming publicly known cybersecurity vulnerabilities...

Cookie Security Flags

Cookie security flags are attributes set on HTTP cookies that restrict how browsers handle them. The...

Cross-Site Request Forgery

CSRF is an attack that tricks an authenticated user's browser into making unwanted requests to a web...

Cross-Site Scripting

Cross-Site Scripting is a vulnerability that allows attackers to inject malicious JavaScript into we...

Denial of Service Attack

A Denial of Service (DoS) attack attempts to make a website or service unavailable by overwhelming i...

Domain Blacklist Check

A domain blacklist check queries multiple security databases (like Google Safe Browsing, Spamhaus, S...

Domain Reputation

Domain reputation is a score assigned to a domain by search engines, email providers, and security s...

Exposed Secrets in JavaScript

Exposed secrets refer to sensitive credentials, tokens, API keys, or configuration data that is unin...

Google Safe Browsing

Google Safe Browsing is a service that identifies unsafe websites across the web and notifies users ...

HttpOnly Cookie Flag

The HttpOnly flag on a cookie prevents JavaScript from accessing the cookie through document.cookie....

Man-in-the-Middle Attack

A man-in-the-middle (MITM) attack occurs when an attacker secretly intercepts and potentially alters...

Open Redirect

An open redirect vulnerability exists when a web application accepts a URL as a parameter and redire...

OWASP Top 10

The OWASP Top 10 is a widely referenced standard awareness document listing the ten most critical we...

Penetration Testing

Penetration testing (pen testing) is a simulated cyberattack against a system to identify security v...

Rate Limiting

Rate limiting restricts the number of requests a client can make to a server within a specified time...

SameSite Cookie Attribute

The SameSite cookie attribute controls when cookies are sent with cross-site requests. SameSite=Stri...

Secure Cookie Flag

The Secure flag on a cookie instructs the browser to only send the cookie over HTTPS connections, ne...

Security Headers Overview

Security headers are HTTP response headers that instruct browsers to enable security features, restr...

SQL Injection

SQL injection is a vulnerability where an attacker inserts malicious SQL code into application queri...

Subdomain Takeover

Subdomain takeover occurs when a subdomain's DNS record (typically a CNAME) points to an external se...

Web Application Firewall

A Web Application Firewall is a security solution that monitors, filters, and blocks HTTP traffic to...

Zero-Day Vulnerability

A zero-day vulnerability is a software flaw that is unknown to the vendor and has no available patch...