Secrets Management
beginnerDefinition
The careful way teams handle the sensitive things their apps need: passwords, API keys, signing tokens. The rules: never paste them into the code, never email them around, store them in a locked-down vault, and only hand them to the app at the moment it actually runs.
In the wild
An online store needs the password to its payments account. Instead of writing the password into the code where any developer could read it, the team puts it in a secure vault. The live website fetches it from the vault each time it starts up. And nobody else ever sees the actual value.
More from Security
Content Security Policy (CSP)
A whitelist that a website hands to the browser, saying 'only run code, fonts, and images from these places I trust: refuse anything else.' If an attacker manages to slip a sneaky script onto the page, the browser blocks it because it didn't come from an approved source.
CSRF (Cross-Site Request Forgery)
An attack that abuses the fact that you're already logged into a site. A different, sneaky page tricks your browser into sending a request to that trusted site on your behalf. And the site thinks it's you, because your login is still valid.
DDoS (Distributed Denial of Service)
An attack where a huge crowd of computers all hammer the same website at once, drowning it in fake traffic until real visitors can't get through. The attacker doesn't break in. They just make so much noise that nobody else can be heard.
Encryption vs Hashing
Two ways of protecting data, often confused. Encryption scrambles information with a key: anyone with the key can unscramble it later. Hashing is a one-way blender: it turns the data into a fixed scramble that can never be turned back. Payment details are encrypted (the company needs to read them). Passwords are hashed (nobody, not even the company, should be able to read them).
HTTPS / TLS
The technology that puts the little padlock in your browser's address bar. It scrambles all the traffic between your device and the website, so anyone snooping on the connection, at a coffee shop, on a hotel Wi-Fi, only sees nonsense. It also confirms that the site really is who it claims to be, not an imitation.
Input Sanitization
Carefully cleaning anything a visitor types into a website before doing anything with it: stripping out tricks, rejecting weird formats, and making sure the data is what you expected. It's the front-line defense against attackers who try to slip dangerous instructions into ordinary-looking form fields.