Security by Framework
Per-framework security guides — the default dangers, the weaknesses most often exploited, and the hardening steps — for WordPress, Laravel, Next.js, Spring, and more.
Frameworks covered
PHP
WordPress has the largest share, so it's statistically the biggest target. The entry points are less the core than plugin/theme vulnerabilities, skipped updates, weak/reused admins, and exposed admin surfaces (wp-admin/xmlrpc/REST enumeration). Defenses: automate core+plugin updates, delete unused plugins/themes, strong password + 2FA for admins, limit admin exposure and login attempts, tamper detection plus offline backups.
LaravelLaravel ships fairly safe defaults, but most incidents come from operations. The big three pitfalls: (1) .env or secret files reachable by URL from the public directory, (2) APP_DEBUG=true in production exposing env vars and connection info on the error page, (3) missing authorization (login = authentication, but no owner-scoped authorization / Mass Assignment overwriting unintended fields). Defenses: secrets outside public at perms 600, debug off + config cache in prod, authorize with Policy/Gate, declare $fillable.
JavaScript / Node
Next.js ships fairly safe defaults, but incidents happen at the server/client boundary. The big three: (1) environment-variable exposure (misusing NEXT_PUBLIC_ or passing server-only secrets to the client), (2) missing authorization in Server Actions / Route Handlers (authenticated but no owner scope), and (3) known dependency CVEs (including framework core RCE — judge by the running version and patch fast). Defenses: keep secrets server-only, mind the boundary, authorize in every action, machine-monitor dependency CVEs.
ExpressExpress is minimalist — it ships almost no security features by default, so the defenses are ones the developer adds. The essentials: (1) security headers (helmet-style), (2) input validation and sanitization, (3) authorization scoped to the owner, not just authentication, (4) rate limiting (brute-force / DoS), (5) dependency (npm) CVE monitoring and fast patching. Plus SSRF protection for outbound URL fetches and secrets kept in env, out of code. The freedom of a minimal framework comes with the responsibility to defend.