# Codepure Documentation ## Docs - [Api security](https://guide.codepure.com/api-security.md) - [Bitbucket](https://guide.codepure.com/bitbucket.md): Securely connect your Bitbucket repositories to **Codepure** to enable secure code scanning and project management. - [Ensure Default Seccomp Profile is Not Disabled (CIS 5.22)](https://guide.codepure.com/container-security/docker-compose/ensure-seccomp-profile-enabled.md): Reduce the kernel attack surface by maintaining the default seccomp whitelist - [Ensure Memory Usage for Containers is Limited (CIS 5.11)](https://guide.codepure.com/container-security/docker-compose/limit-container-memory.md): Prevent Denial of Service (DoS) by enforcing memory limits on containers - [Ensure CPU Priority is Set Appropriately (CIS 5.12)](https://guide.codepure.com/container-security/docker-compose/limit-cpu-priority.md): Prevent resource starvation by prioritizing CPU usage for critical containers - [Ensure Container Restart Policy is Set to on-failure:5 (CIS 5.15)](https://guide.codepure.com/container-security/docker-compose/limit-restart-policy.md): Prevent resource exhaustion by limiting container restart attempts - [Ensure Docker Socket is Not Mounted (CIS 5.32)](https://guide.codepure.com/container-security/docker-compose/no-docker-socket-mount.md): Prevent full host compromise by restricting access to the Docker socket - [Ensure Host IPC Namespace Is Not Shared (CIS 5.17)](https://guide.codepure.com/container-security/docker-compose/no-host-ipc-namespace.md): Prevent containers from accessing host shared memory segments and semaphores - [Ensure Host Network Namespace Is Not Shared (CIS 5.10)](https://guide.codepure.com/container-security/docker-compose/no-host-network-namespace.md): Prevent containers from accessing the host network stack to avoid privilege escalation - [Ensure Host Process Namespace Is Not Shared (CIS 5.16)](https://guide.codepure.com/container-security/docker-compose/no-host-pid-namespace.md): Prevent containers from accessing or manipulating host processes by maintaining PID isolation - [Ensure Host User Namespace Is Not Shared (CIS 5.31)](https://guide.codepure.com/container-security/docker-compose/no-host-user-namespace.md): Prevent privilege escalation by isolating container users from host users - [Ensure Host UTS Namespace Is Not Shared (CIS 5.21)](https://guide.codepure.com/container-security/docker-compose/no-host-uts-namespace.md): Prevent containers from modifying the host's hostname and NIS domain name - [Ensure Privileged Containers Are Not Used (CIS 5.5)](https://guide.codepure.com/container-security/docker-compose/no-privileged-containers.md): Prevent containers from accessing host devices and kernel capabilities by disabling privileged mode - [Ensure Container Root Filesystem is Mounted Read-Only (CIS 5.13)](https://guide.codepure.com/container-security/docker-compose/read-only-root-filesystem.md): Enforce immutable infrastructure by preventing writes to the container's root filesystem - [Ensure Container is Restricted from Acquiring Additional Privileges (CIS 5.26)](https://guide.codepure.com/container-security/docker-compose/restrict-additional-privileges.md): Prevent privilege escalation by blocking the no_new_priv bit - [Ensure Linux Kernel Capabilities Are Restricted (CIS 5.4)](https://guide.codepure.com/container-security/docker-compose/restrict-kernel-capabilities.md): Minimize the attack surface by dropping unnecessary Linux kernel capabilities - [Content Trust Not Enabled (CIS 4.5)](https://guide.codepure.com/container-security/docker/content-trust-not-enabled.md): Ensure Content Trust is enabled to verify the integrity and publisher of Docker images - [Ensure Images are Scanned and Rebuilt (CIS 4.4)](https://guide.codepure.com/container-security/docker/ensure-images-scanned.md): Regularly scan and rebuild container images to patch known vulnerabilities - [Healthcheck Instruction Missing (CIS 4.6)](https://guide.codepure.com/container-security/docker/healthcheck-instruction-missing.md): Ensure that health checks are executed against running containers to maintain availability - [Ensure User Created (CIS 4.1)](https://guide.codepure.com/container-security/docker/running-as-root.md): Containers should run as a non-root user to minimize security risks - [Ensure Secrets Are Not Stored in Dockerfiles (CIS 4.10)](https://guide.codepure.com/container-security/docker/secrets-in-dockerfile.md): Prevent credential theft by removing hardcoded secrets from Dockerfiles - [Ensure Update Instructions Are Not Used Alone (CIS 4.7)](https://guide.codepure.com/container-security/docker/update-instructions-alone.md): Prevent stale cache layers by combining update and install instructions - [Use COPY Instead of ADD (CIS 4.9)](https://guide.codepure.com/container-security/docker/use-copy-instead-of-add.md): Security risks of using the ADD instruction in Dockerfiles and secure alternatives - [Apply Security Context to Your Pods and Containers (CIS 5.6.3)](https://guide.codepure.com/container-security/kubernetes/apply-security-context.md): Enforce defense-in-depth by explicitly defining security settings for all workloads - [Avoid Use of system:masters Group (CIS 5.1.7)](https://guide.codepure.com/container-security/kubernetes/avoid-system-masters-group.md): Prevent irrevocable administrative access by avoiding the hard-coded system:masters group - [Ensure Default Service Accounts Are Not Actively Used (CIS 5.1.5)](https://guide.codepure.com/container-security/kubernetes/disable-default-service-account.md): Improve auditability and security by disabling the default service account token mounting - [Ensure All Namespaces Have Network Policies Defined (CIS 5.3.2)](https://guide.codepure.com/container-security/kubernetes/ensure-network-policies-defined.md): Enforce network segmentation by defining traffic isolation rules for all namespaces - [Ensure Seccomp Profile is Set to RuntimeDefault (CIS 5.6.2)](https://guide.codepure.com/container-security/kubernetes/ensure-seccomp-profile-default.md): Reduce the kernel attack surface by enabling the default seccomp profile - [Limit Bind, Impersonate, and Escalate Permissions (CIS 5.1.8)](https://guide.codepure.com/container-security/kubernetes/limit-escalation-permissions.md): Prevent hidden privilege escalation paths by restricting dangerous RBAC verbs - [Minimize Admission of Containers with Capabilities Assigned (CIS 5.2.9)](https://guide.codepure.com/container-security/kubernetes/minimize-capabilities.md): Enforce least privilege by dropping all Linux capabilities from containers - [Ensure Cluster-Admin Role Is Only Used Where Required (CIS 5.1.1)](https://guide.codepure.com/container-security/kubernetes/minimize-cluster-admin-usage.md): Enforce least privilege by restricting the use of the powerful cluster-admin role - [Ensure Access to Create Pods is Minimized (CIS 5.1.4)](https://guide.codepure.com/container-security/kubernetes/minimize-create-pods-access.md): Prevent privilege escalation by restricting who can create Pods directly - [Minimize Admission of Containers Sharing Host IPC Namespace (CIS 5.2.4)](https://guide.codepure.com/container-security/kubernetes/minimize-host-ipc.md): Prevent privilege escalation by isolating container shared memory from the host - [Minimize Admission of Containers Sharing Host Network Namespace (CIS 5.2.5)](https://guide.codepure.com/container-security/kubernetes/minimize-host-network.md): Prevent traffic sniffing and network policy bypass by isolating container networking - [Minimize Admission of Containers Sharing Host PID Namespace (CIS 5.2.3)](https://guide.codepure.com/container-security/kubernetes/minimize-host-pid.md): Prevent privilege escalation by isolating container processes from the host Process ID namespace - [Minimize Admission of Containers Using HostPorts (CIS 5.2.12)](https://guide.codepure.com/container-security/kubernetes/minimize-host-ports.md): Prevent network policy bypass and port conflicts by restricting hostPort usage - [Minimize Admission of HostPath Volumes (CIS 5.2.11)](https://guide.codepure.com/container-security/kubernetes/minimize-hostpath-volumes.md): Prevent host filesystem compromise by restricting the use of hostPath mounts - [Minimize Admission of Containers with NET_RAW Capability (CIS 5.2.8)](https://guide.codepure.com/container-security/kubernetes/minimize-net-raw-capability.md): Prevent network spoofing attacks by dropping the NET_RAW capability - [Minimize Admission of Containers with allowPrivilegeEscalation (CIS 5.2.6)](https://guide.codepure.com/container-security/kubernetes/minimize-privilege-escalation.md): Prevent privilege escalation attacks by disabling the setuid bit in containers - [Minimize the Admission of Privileged Containers (CIS 5.2.2)](https://guide.codepure.com/container-security/kubernetes/minimize-privileged-containers.md): Prevent host compromise by enforcing policies that block privileged containers - [Minimize Admission of Root Containers (CIS 5.2.7)](https://guide.codepure.com/container-security/kubernetes/minimize-root-containers.md): Mitigate container breakout risks by enforcing non-root execution - [Ensure Access to Secrets is Minimized (CIS 5.1.2)](https://guide.codepure.com/container-security/kubernetes/minimize-secrets-access.md): Prevent privilege escalation by restricting who can read Secrets in the Kubernetes API - [Minimize Wildcard Use in Roles and ClusterRoles (CIS 5.1.3)](https://guide.codepure.com/container-security/kubernetes/minimize-wildcards-rbac.md): Enforce least privilege by avoiding wildcard characters in Kubernetes RBAC permissions - [Prefer Using Secrets as Files Over Environment Variables (CIS 5.4.1)](https://guide.codepure.com/container-security/kubernetes/prefer-secrets-as-files.md): Prevent accidental secret leakage in logs by mounting secrets as volumes - [Container Security](https://guide.codepure.com/container_security.md): Comprehensive container and cloud infrastructure security scanning — 100% native engine, zero external dependencies. - [DevSecOps Integration](https://guide.codepure.com/devsecops.md): Learn how Codepure integrates security into your development workflows. - [GitHub Actions Integration](https://guide.codepure.com/github_devsecops.md): Automatically scan Pull Requests and block vulnerable code using Codepure DevSecOps gates. - [GitLab CI/CD Integration](https://guide.codepure.com/gitlab_devsecops.md): Integrate Codepure DevSecOps gates into your GitLab pipelines. - [Introduction](https://guide.codepure.com/introduction.md): Welcome to Codepure’s Documentation — your complete guide to securing your applications with Codepure. - [How to Use it](https://guide.codepure.com/quickstart.md): Set up Codepure in just a few steps. - [Roles and Permissions](https://guide.codepure.com/role_perm.md): Understand roles and permissions in Codepure’s platform for secure application development. - [Static Application Security Testing (SAST)](https://guide.codepure.com/sast.md): Find vulnerabilities in your source code before they reach production. 22 languages. Zero blind spots. - [Software Composition Analysis (SCA)](https://guide.codepure.com/sca.md): Identify and fix vulnerable open-source dependencies across 20+ ecosystems and 27+ lockfile formats. - [Insecure Repository Configuration](https://guide.codepure.com/sca/maven/insecure-repositories.md): Securing Maven repository configurations - [Snapshot Dependencies Security](https://guide.codepure.com/sca/maven/snapshot-dependencies.md): Managing snapshot dependencies securely in Maven - [Vulnerable Dependencies in Maven](https://guide.codepure.com/sca/maven/vulnerable-dependencies.md): Identifying and fixing vulnerable dependencies in Maven projects - [Insecure NPM Scripts](https://guide.codepure.com/sca/npm/insecure-scripts.md): Securing npm scripts and preventing script injection attacks - [Unpinned Package Versions](https://guide.codepure.com/sca/npm/unpinned-versions.md): Securing npm dependencies with proper version pinning - [Vulnerable Dependencies in NPM](https://guide.codepure.com/sca/npm/vulnerable-dependencies.md): Identifying and fixing vulnerable npm packages - [Insecure Package Index URLs](https://guide.codepure.com/sca/pip/insecure-index-urls.md): Securing pip package sources and index URLs - [Unpinned Dependencies in Pip](https://guide.codepure.com/sca/pip/unpinned-dependencies.md): Properly pinning Python package versions for security - [Vulnerable Dependencies in Pip](https://guide.codepure.com/sca/pip/vulnerable-dependencies.md): Managing and securing Python package dependencies - [JWT Secrets and Token Security](https://guide.codepure.com/secret-scanning/api-keys/jwt-secrets.md): Securing JWT signing secrets and token management - [Payment Gateway Keys](https://guide.codepure.com/secret-scanning/api-keys/payment-gateway-keys.md): Securing payment processor API keys and tokens - [Third-Party API Keys](https://guide.codepure.com/secret-scanning/api-keys/third-party-apis.md): Securing various third-party service API keys - [Environment Files (.env)](https://guide.codepure.com/secret-scanning/application-secrets/env-files.md): Securing environment variables and .env files - [SSH Private Keys](https://guide.codepure.com/secret-scanning/certificates/ssh-keys.md): Detecting and securing SSH keys in repositories - [AWS Credentials Exposure](https://guide.codepure.com/secret-scanning/cloude-providers/aws-credentials.md): Detecting and preventing AWS access keys and secrets in code - [Azure Secrets Exposure](https://guide.codepure.com/secret-scanning/cloude-providers/azure-secrets.md): Detecting and preventing Azure credentials in code - [Google Cloud Platform Keys](https://guide.codepure.com/secret-scanning/cloude-providers/gcp-keys.md): Detecting and securing GCP service account keys and API credentials - [Multi-Cloud Credentials Management](https://guide.codepure.com/secret-scanning/cloude-providers/multi-cloud-credentials.md): Securing credentials across multiple cloud providers - [Database Password Security](https://guide.codepure.com/secret-scanning/databases/database-passwords.md): Securing database passwords and authentication credentials - [NoSQL Database Credentials](https://guide.codepure.com/secret-scanning/databases/nosql-credentials.md): Securing MongoDB, Redis, and other NoSQL credentials - [SQL Connection Strings](https://guide.codepure.com/secret-scanning/databases/sql-connection-strings.md): Detecting and securing database connection strings - [Git Configuration and Secrets](https://guide.codepure.com/secret-scanning/source-control/git-secrets.md): Preventing secrets in Git configuration and history - [GitHub Tokens and Secrets](https://guide.codepure.com/secret-scanning/source-control/github-tokens.md): Securing GitHub access tokens and OAuth credentials - [GitLab Tokens and CI Variables](https://guide.codepure.com/secret-scanning/source-control/gitlab-credentials.md): Securing GitLab access tokens and CI/CD variables - [Secret Scanning](https://guide.codepure.com/secret_scanning.md): Advanced detection and prevention of exposed secrets, credentials, API keys, tokens, and sensitive information across your entire codebase, repositories, and development lifecycle. - [Supported Languages & Frameworks](https://guide.codepure.com/supported-languages.md): Overview of languages, frameworks, and technologies supported by the Codepure SAST engine. - [Our Team](https://guide.codepure.com/team.md): Meet the experts behind Codepure. - [Acceptable Use Policy](https://guide.codepure.com/trust/acceptable-use-policy.md): The strict rules for using the Codepure security platform. - [Data Residency & Cloud Security](https://guide.codepure.com/trust/data-residency.md): Where your data lives and how we protect your source code. - [Data Processing Agreement (DPA)](https://guide.codepure.com/trust/dpa.md): How we protect your data and comply with regional laws. - [Privacy Policy](https://guide.codepure.com/trust/privacy-policy.md): How we collect, use, and protect your personal information. - [Regulatory Compliance](https://guide.codepure.com/trust/regulatory-compliance.md): How Codepure aligns with Middle Eastern cybersecurity frameworks. - [Service Level Agreement (SLA)](https://guide.codepure.com/trust/sla.md): Our commitment to platform uptime and reliability. - [Sub-processor List](https://guide.codepure.com/trust/subprocessors.md): The third-party services Codepure uses to process data. - [Support Policy](https://guide.codepure.com/trust/support-policy.md): Our target response times and support channels. - [Master Terms of Service](https://guide.codepure.com/trust/terms-of-service.md): The rules for using the Codepure platform. - [Vulnerability Disclosure Policy](https://guide.codepure.com/trust/vulnerability-disclosure.md): How to safely report security issues to Codepure. - [Command Injection](https://guide.codepure.com/vulnerabilities/command-injection.md): Architectural examples and mitigation for Command Injection in Django, Spring Boot, Rails, Express, ASP.NET Core, and Laravel. - [Sensitive Cookie Without 'HttpOnly' Flag](https://guide.codepure.com/vulnerabilities/cwe-1004.md): Mitigation for sensitive cookies (session IDs, tokens) missing the 'HttpOnly' flag, making them accessible to client-side scripts (XSS). - [Debug Features Enabled in Production](https://guide.codepure.com/vulnerabilities/cwe-11.md): Mitigation for deploying applications (ASP.NET, Django, Flask, etc.) with debug mode enabled, exposing sensitive information. - [Use of Unmaintained Third Party Components](https://guide.codepure.com/vulnerabilities/cwe-1104.md): Mitigation for using outdated or unmaintained third-party libraries/frameworks with known vulnerabilities (OWASP A06). - [CRLF Injection (HTTP Response Splitting)](https://guide.codepure.com/vulnerabilities/cwe-113.md): Mitigation for CRLF Injection vulnerabilities where user input containing CR/LF characters manipulates HTTP headers or body. - [Improper Output Neutralization for Logs (Log Injection)](https://guide.codepure.com/vulnerabilities/cwe-117.md): Mitigation for Log Injection vulnerabilities where attackers insert fake log entries, newlines (CRLF), or control characters. - [Improper SameSite Attribute](https://guide.codepure.com/vulnerabilities/cwe-1275.md): Mitigation for sensitive cookies missing the SameSite attribute in Django, Spring Boot, Rails, Express, ASP.NET Core, and Laravel. - [Sensitive Data Exposure](https://guide.codepure.com/vulnerabilities/cwe-200.md): Mitigation for exposing sensitive data (stack traces, PII, config) in Django, Spring Boot, Rails, Express, ASP.NET Core, and Laravel. - [Generation of Error Message Containing Sensitive Information](https://guide.codepure.com/vulnerabilities/cwe-209.md): Mitigation for exposing sensitive system details, stack traces, or configuration via error messages. - [Storing Passwords in a Recoverable Format](https://guide.codepure.com/vulnerabilities/cwe-257.md): Mitigation for storing passwords using reversible encryption or plaintext instead of secure, one-way hashing. - [Use of Hard-coded Password](https://guide.codepure.com/vulnerabilities/cwe-259.md): Mitigation for hard-coding passwords directly in source code or configuration files. - [Improper Access Control](https://guide.codepure.com/vulnerabilities/cwe-284.md): Mitigation for improper access control (missing role/permission checks) in Django, Spring Boot, Rails, Express, ASP.NET Core, and Laravel. - [Improper Authentication](https://guide.codepure.com/vulnerabilities/cwe-287.md): Mitigation for flaws in authentication logic, such as accepting incorrect credentials, type juggling, or signature bypass. - [Improper Certificate Validation](https://guide.codepure.com/vulnerabilities/cwe-295.md): Mitigation for failing to properly validate TLS/SSL certificates, enabling Man-in-the-Middle (MitM) attacks. - [Missing Authentication for Critical Function](https://guide.codepure.com/vulnerabilities/cwe-306.md): Mitigation for critical functions or endpoints lacking authentication checks, allowing anonymous access. - [Improper Restriction of Excessive Authentication Attempts](https://guide.codepure.com/vulnerabilities/cwe-307.md): Mitigation for missing rate limiting or lockouts on login attempts, allowing attackers to brute-force credentials. - [Cleartext Storage of Sensitive Information](https://guide.codepure.com/vulnerabilities/cwe-312.md): Mitigation for storing sensitive data (credentials, PII, secrets) without encryption in databases, files, logs, or backups. - [Cleartext Transmission of Sensitive Information](https://guide.codepure.com/vulnerabilities/cwe-319.md): Mitigation for transmitting sensitive data in cleartext (HTTP) in Django, Spring Boot, Rails, Express, ASP.NET Core, and Laravel. - [Use of Hard-coded Cryptographic Key](https://guide.codepure.com/vulnerabilities/cwe-321.md): Mitigation for hard-coding encryption keys directly in source code or configuration files. - [Use of a Broken or Risky Cryptographic Algorithm](https://guide.codepure.com/vulnerabilities/cwe-327.md): Mitigation for using weak or broken crypto (MD5, SHA1, DES) in Django, Spring Boot, Rails, Express, ASP.NET Core, and Laravel. - [Use of Predictable IV with CBC Mode](https://guide.codepure.com/vulnerabilities/cwe-329.md): Mitigation for using static, null, or predictable Initialization Vectors (IVs) with CBC mode encryption. - [Use of Insufficiently Random Values](https://guide.codepure.com/vulnerabilities/cwe-330.md): Mitigation for using predictable or weak random number generators for security-sensitive purposes like tokens or keys. - [Improper Verification of Cryptographic Signature](https://guide.codepure.com/vulnerabilities/cwe-347.md): Mitigation for failing to verify signatures, accepting invalid signatures, or allowing algorithm confusion attacks (e.g., JWT 'none' algorithm). - [Cross-Site Request Forgery (CSRF)](https://guide.codepure.com/vulnerabilities/cwe-352.md): Mitigation for Cross-Site Request Forgery in Django, Spring Boot, Rails, Express, ASP.NET Core, and Laravel. - [Missing Support for Integrity Check](https://guide.codepure.com/vulnerabilities/cwe-353.md): Mitigation for failing to use integrity checks (MACs, digital signatures) on data, allowing undetected tampering. - [Session Fixation](https://guide.codepure.com/vulnerabilities/cwe-384.md): Mitigation for session fixation attacks where an attacker forces a user's browser to use a known session ID. - [Forced Browsing](https://guide.codepure.com/vulnerabilities/cwe-425.md): Mitigation for Forced Browsing vulnerabilities (unprotected pages/endpoints) in Django, Spring Boot, Rails, Express, ASP.NET Core, and Laravel. - [Unrestricted Upload of File with Dangerous Type](https://guide.codepure.com/vulnerabilities/cwe-434.md): Mitigation for allowing uploads of dangerous file types (e.g., .php, .jsp, .exe) leading to code execution or XSS. - [Download of Code Without Integrity Check](https://guide.codepure.com/vulnerabilities/cwe-494.md): Mitigation for failing to verify the integrity of code downloaded from external sources (e.g., CDNs without SRI, insecure auto-updates). - [Trust Boundary Violation](https://guide.codepure.com/vulnerabilities/cwe-501.md): Mitigation for trust boundary violations where data from less trusted zones is used without validation in more trusted zones. - [Weak Password Requirements](https://guide.codepure.com/vulnerabilities/cwe-521.md): Mitigation for enforcing weak password policies (length, complexity, common passwords) making accounts vulnerable to guessing or cracking. - [Exposure of Sensitive Information Through Environmental Variables](https://guide.codepure.com/vulnerabilities/cwe-526.md): Mitigation for leaking sensitive environment variables via debug pages, phpinfo(), or misconfigured server settings. - [Insertion of Sensitive Information into Log File](https://guide.codepure.com/vulnerabilities/cwe-532.md): Mitigation for logging sensitive data (passwords, API keys, PII) in plaintext, which makes logs a high-value target. - [Exposure of Information Through Directory Listing](https://guide.codepure.com/vulnerabilities/cwe-548.md): Mitigation for web server misconfiguration that allows attackers to list files in directories without an index file. - [Open Redirect](https://guide.codepure.com/vulnerabilities/cwe-601.md): Mitigation for Open Redirect vulnerabilities in Django, Spring Boot, Rails, Express, ASP.NET Core, and Laravel. - [Client-Side Enforcement of Server-Side Security](https://guide.codepure.com/vulnerabilities/cwe-602.md): Mitigation for relying on client-side controls (JavaScript, hidden fields) for security decisions instead of server-side validation. - [Insufficient Session Expiration](https://guide.codepure.com/vulnerabilities/cwe-613.md): Mitigation for sessions that don't expire or have excessively long timeouts, increasing the window for session hijacking. - [Sensitive Cookie Without 'Secure' Attribute](https://guide.codepure.com/vulnerabilities/cwe-614.md): Mitigation for sensitive cookies (session IDs, tokens) missing the 'Secure' flag, allowing transmission over HTTP. - [Insecure Direct Object Reference (IDOR)](https://guide.codepure.com/vulnerabilities/cwe-639.md): Mitigation for Insecure Direct Object Reference (IDOR / CWE-639) in Django, Spring Boot, Rails, Express, ASP.NET Core, and Laravel. - [Weak Password Recovery Mechanism for Forgotten Password](https://guide.codepure.com/vulnerabilities/cwe-640.md): Mitigation for insecure password reset features, like guessable tokens, security questions, or leaking information. - [XPath Injection](https://guide.codepure.com/vulnerabilities/cwe-643.md): Mitigation for XPath Injection vulnerabilities where user input manipulates XPath queries against XML data. - [Use of a One-Way Hash without a Salt](https://guide.codepure.com/vulnerabilities/cwe-759.md): Mitigation for hashing passwords without a unique salt, making them vulnerable to rainbow table attacks. - [XML Entity Expansion (XML Bomb)](https://guide.codepure.com/vulnerabilities/cwe-776.md): Mitigation for XML Denial of Service (DoS) caused by exponential entity expansion (Billion Laughs Attack). - [Insufficient Logging](https://guide.codepure.com/vulnerabilities/cwe-778.md): Mitigation for failing to log critical security-relevant events, which hinders detection, forensics, and incident response. - [Improper Control of Interaction Frequency](https://guide.codepure.com/vulnerabilities/cwe-799.md): Mitigation for missing rate limiting on sensitive actions like login, password reset, or API usage, leading to brute-force or DoS. - [Inclusion of Functionality from Untrusted Control Sphere](https://guide.codepure.com/vulnerabilities/cwe-829.md): Mitigation for risks of including or using code (libraries, dependencies, plugins) from untrusted or unverified sources. - [Business Logic Errors](https://guide.codepure.com/vulnerabilities/cwe-840.md): Mitigation for flaws in the design and implementation of business rules that can be exploited to bypass intended application behavior. - [Missing Authorization](https://guide.codepure.com/vulnerabilities/cwe-862.md): Mitigation for missing authorization (unprotected functions/endpoints) in Django, Spring Boot, Rails, Express, ASP.NET Core, and Laravel. - [Improperly Controlled Modification of Object Attributes](https://guide.codepure.com/vulnerabilities/cwe-915.md): Mitigation for prototype pollution (JavaScript) and mass assignment (Rails, Laravel, ASP.NET) vulnerabilities. - [Insufficient Password Hash Effort](https://guide.codepure.com/vulnerabilities/cwe-916.md): Mitigation for using fast password hashes (SHA256/512) instead of slow ones (bcrypt/Argon2/PBKDF2) in various frameworks. - [Expression Language (EL) Injection](https://guide.codepure.com/vulnerabilities/cwe-917.md): Mitigation for Expression Language (EL) Injection vulnerabilities in frameworks like Java EE (JSF, JSP), Spring (SPeL), and others. - [Code Injection](https://guide.codepure.com/vulnerabilities/cwe-94.md): Mitigation for vulnerabilities where attacker-controlled data is executed as code (e.g., eval(), unsafe deserialization, template injection). - [Permissive Cross-domain Policy with Untrusted Domains](https://guide.codepure.com/vulnerabilities/cwe-942.md): Mitigation for overly permissive Cross-Origin Resource Sharing (CORS) policies that allow untrusted domains to interact with the application. - [Deserialization of Untrusted Data](https://guide.codepure.com/vulnerabilities/deserialization.md): Architectural examples and mitigation for Insecure Deserialization in Django, Spring Boot, Rails, Express, ASP.NET Core, and Laravel. - [LDAP Injection](https://guide.codepure.com/vulnerabilities/ldap-injection.md): Architectural examples and mitigation for LDAP Injection in Django, Spring Boot, Rails, Express, ASP.NET Core, and Laravel. - [Path Traversal](https://guide.codepure.com/vulnerabilities/path-traversal.md): Architectural examples and mitigation for Path Traversal in Django, Spring Boot, Rails, Express, ASP.NET Core, and Laravel. - [SQL Injection (SQLi)](https://guide.codepure.com/vulnerabilities/sql-injection.md): Architectural examples and mitigation for SQL Injection in Django, Spring Boot, Rails, Express, ASP.NET Core, and Laravel. - [Server-Side Request Forgery (SSRF)](https://guide.codepure.com/vulnerabilities/ssrf.md): Architectural examples and mitigation for SSRF in Django, Spring Boot, Rails, Express, ASP.NET Core, and Laravel. - [Cross-Site Scripting (XSS)](https://guide.codepure.com/vulnerabilities/xss.md): Architectural examples and mitigation for XSS in Django, Spring Boot, Rails, Express, ASP.NET Core, and Laravel. - [XML External Entity (XXE)](https://guide.codepure.com/vulnerabilities/xxe.md): Architectural examples and mitigation for XXE in Django, Spring Boot, Rails, Express, ASP.NET Core, and Laravel.