Glossary
CVE, CVSS, RCE, SSRF, XSS, SPF/DKIM/DMARC — each term with a one-line answer and a plain explanation.
What is CSRF (Cross-Site Request Forgery) — making a logged-in user act without meaning to
CSRF makes a logged-in user's browser send an unintended action, abusing the browser's habit of auto-attaching cookies. The real defense is CSRF tokens plus SameSite cookies. Never use GET for state changes.
What are SPF / DKIM / DMARC — the trio that protects your domain from spoofed email
SPF/DKIM/DMARC are three DNS settings so receivers can verify your domain's mail. SPF = which servers may send, DKIM = a cryptographic signature, DMARC = the policy plus reports. Together they stop spoofing in your name. Ramp DMARC from p=none upward.
What is SQL injection (SQLi) — when input rewrites your database's commands
SQLi is when input is read as 'part of the command' rather than data, changing a query's meaning — straight to read/alter/delete. The real defense is to stop string-concatenating SQL and pass values via placeholders (prepared statements).
What is XSS (Cross-Site Scripting) — code running in someone else's browser
XSS makes an attacker-supplied string run 'as script' in another user's browser — straight to session theft and impersonation. The real defense is escaping on output. Don't disable your framework's auto-escaping.
What is a CVE — the shared 'jersey number' for vulnerabilities
A CVE is a globally shared ID for a vulnerability (e.g. CVE-2025-12345). CVE = the name, CVSS = severity, KEV = is it exploited. It's the anchor for monitoring. Track it with machines, not by hand.
What is CVSS — the severity score and how it's actually scored
CVSS rates severity 0.0–10.0. The score is computed from defined metrics (attack vector, complexity, privileges, user interaction, scope, CIA impact) through a public formula — not a guess. Know the rubric and you can read what a 10.0 means. Still, prioritize with KEV (is it exploited) and whether you use it.
What is .env — what happens when an environment file leaks
.env holds an app's secrets (DB auth, API keys, encryption keys). Because the keys are gathered in one file, exposure leaks every secret at once. Keep the app outside the docroot, never commit it to git, and rotate everything if it leaks.
What is RCE (Remote Code Execution) — why it's the worst class of bug
RCE lets an attacker run arbitrary code on your server — straight to takeover, the worst class. The blast radius is set by the running process's privileges. The core defenses are fast patching, CVE monitoring, and least privilege.
What is SSRF (Server-Side Request Forgery)
SSRF abuses external-input URLs to make a server hit internal resources (internal IPs, cloud metadata). If you fetch URLs, you need an allowlist of destinations, internal-target blocking, and to close redirect/DNS-rebinding gaps. It was the entry point of the Capital One breach.