Practical Security Guides For Your Team

Your domain has a DMARC record, but it's set to 'monitor only' — meaning it watches for suspicious email activity but takes no action to stop it. Anyone can currently send emails that appear to come from your domain, and those emails will land in recipients' inboxes unchallenged. Think of it like having a security camera but no lock on the door.

Your website is using an old version of Vue.js (a JavaScript library that powers your web pages) that has a known security flaw. The flaw only affects sites that render pages on the server before sending them to visitors — a common setup for faster-loading or SEO-friendly sites. If your site works this way and passes user-supplied data into page attributes, the flaw could allow a malicious user to inject unwanted code into your pages. Upgrading Vue.js to a newer version fully resolves this.

Your website uses an outdated version of a code-highlighting tool called Highlight.js (version 9.10.0). A known flaw in this version means that if your site lets users submit text that gets highlighted — like a code editor, comment box, or documentation tool — a malicious user could craft a special input that causes your server or browser to freeze up. This is only a concern if users can submit content that gets syntax-highlighted.

Your application uses an outdated version of Axios, a popular tool for making web requests. A known flaw in this version means that a malicious server — or an unexpectedly large response — can keep sending data even after your app has told it to stop, eventually overwhelming your server and causing it to crash or become unresponsive. The fix is a straightforward library upgrade.

Your website uses an outdated version of a popular form-checking tool called jQuery Validation (version 1.14.0). This version has a known flaw where a visitor could submit a specially crafted input — like a malformed URL — that causes your site to freeze while processing it. Think of it like a lock that jams if you insert a bent key: the door stops working for everyone until the jam clears.

Your application uses a JavaScript helper library called Underscore.js that has a flaw in two of its functions. Under specific conditions, an attacker could send specially crafted deeply-nested data to your server, causing it to crash and become temporarily unavailable. Think of it like sending a letter with 4,500 envelopes nested inside each other — the library tries to open every one and runs out of room.

Your server is configured to trust any website that contacts it, including malicious ones. This means if one of your logged-in users visits a harmful website, that site can silently pull data from your application — such as account details, API keys, or personal information — without the user knowing. Think of it like a bank teller who hands over account information to anyone who calls, as long as they say the right words.

Your website uses Next.js, a popular web framework, which includes a feature that automatically resizes and optimises images for visitors. A flaw in versions before 16.1.7 means this feature stores an unlimited number of image variants on disk with no cap — like a filing cabinet with no limit on how many folders can be added. An attacker could deliberately flood this cache to fill up your server's storage and take your site offline.

Your website's Next.js framework has a flaw in how it forwards certain web requests to your backend servers. Under specific conditions, an attacker could craft a specially shaped request that tricks the system into reaching internal or admin areas of your backend that were never meant to be publicly accessible. This only affects self-hosted setups — if your site runs on Vercel, you are not affected.

Your application uses an old version of Axios (v0.12.0), a popular tool that helps your software communicate with other services over the internet. This version has a known flaw that lets anyone send a specially crafted request to slow your server to a crawl — potentially making your app unavailable to real users. Upgrading to a newer version takes a developer less than an hour and fully resolves the issue.

Your website uses a feature in Next.js that automatically resizes and optimises images. A flaw in versions before 15.5.10 means an attacker could point this feature at an extremely large image and force your server to run out of memory — crashing your site. The attacker needs to be able to host or control a large image on a domain your site is already configured to trust.

Your website is running an outdated version of Next.js (the framework powering your web app) that contains a known security flaw. Under specific conditions, this flaw could allow an outside visitor to trick your server into making requests to internal systems it shouldn't be able to reach. A patch is available and the fix is straightforward — update to the latest version.