Security Vibes.

Two-Factor Authentication. The two-factor case of MFA; usually password + TOTP/SMS.

Short-lived (usually 1h) bearer token for API access. Can be a JWT or opaque.

Cross-Site Request Forgery. Using a logged-in user's session from another site to perform malicious actions. SameSite cookies + tokens defend.

Cross-Origin Resource Sharing. Browser mechanism controlling JS requests across origins.

Content Security Policy header. Tells the browser which script/style/image sources are allowed. The strongest XSS curtain.

Hiding your page in a transparent iframe under another site so users mis-click. X-Frame-Options + CSP frame-ancestors prevent it.

Common Vulnerabilities and Exposures. Unique ID assigned to each known vulnerability (e.g., `CVE-2025-29927`).

Common Vulnerability Scoring System. Scoring a CVE's severity 0-10. >9 = critical; your inbox changes tone.

Records of who did what, when. Required for SOC2 compliance + incident investigation.

Attribute-Based Access Control. "User in this dept and file at this sensitivity" style policy. More flexible than RBAC, higher complexity.

Access Control List. Per-resource list of user/role permissions. Linux file perms; AWS S3 bucket policies.

Company program paying people who find security vulnerabilities. HackerOne, Bugcrowd, Immunefi.

Adding small but purposeful perturbations to input to fool a model. Classic for image classifiers; adapted to LLMs.