Security Vibes
Security basics every fast-shipping vibe coder must know.
▸ 13 TERMS2FA
Two-Factor Authentication. The two-factor case of MFA; usually password + TOTP/SMS.
Access Token
Short-lived (usually 1h) bearer token for API access. Can be a JWT or opaque.
CSRF
Cross-Site Request Forgery. Using a logged-in user's session from another site to perform malicious actions. SameSite cookies + tokens defend.
CORS
Cross-Origin Resource Sharing. Browser mechanism controlling JS requests across origins.
CSP
Content Security Policy header. Tells the browser which script/style/image sources are allowed. The strongest XSS curtain.
Clickjacking
Hiding your page in a transparent iframe under another site so users mis-click. X-Frame-Options + CSP frame-ancestors prevent it.
CVE
Common Vulnerabilities and Exposures. Unique ID assigned to each known vulnerability (e.g., `CVE-2025-29927`).
CVSS
Common Vulnerability Scoring System. Scoring a CVE's severity 0-10. >9 = critical; your inbox changes tone.
Audit Log
Records of who did what, when. Required for SOC2 compliance + incident investigation.
ABAC
Attribute-Based Access Control. "User in this dept and file at this sensitivity" style policy. More flexible than RBAC, higher complexity.
ACL
Access Control List. Per-resource list of user/role permissions. Linux file perms; AWS S3 bucket policies.
Bug Bounty
Company program paying people who find security vulnerabilities. HackerOne, Bugcrowd, Immunefi.
Adversarial Attack
Adding small but purposeful perturbations to input to fool a model. Classic for image classifiers; adapted to LLMs.