Learn web security, one guide at a time.
Practical reference guides on the topics SecureMonk scans for. No ceremony, no filler, no AI-flavored summary at the end.
Software supply chain risk: why it keeps getting worse, and what to do about it
Most of your site runs on code you did not write. Why supply chain attacks are escalating, how bad the recent ones really were (xz, polyfill.io, tj-actions), and how to watch for, find, fix, and manage the risk.
Every check in your SecureMonk scan, mapped to the attack it stops
A complete reference for what each TLS and header finding actually defends against, and why fixing it matters. Start here if you want the whole picture in one place.
The four security headers worth fighting for
HSTS, CSP, X-Frame-Options, and X-Content-Type-Options. What each one does, how to set it, and what breaks if you do it wrong.
How HSTS actually works, and when to use preload
A practical guide to the Strict-Transport-Security header, the three directives, and the decisions around the browser preload list.
Content-Security-Policy from scratch
A step-by-step path from no CSP to an enforced CSP without breaking the site. Report-only mode, the directives, and the common pitfalls.
Reading your TLS cipher suite list without getting lost
What the parts of a cipher suite name mean, which ones are safe in 2026, and how to decide what to disable.
What "TLS 1.3 only" costs you in browser and client compatibility
Turning off TLS 1.2 sounds great on a checklist. Here is what actually breaks and how to decide for your audience.
Subresource Integrity: when it helps and when it does not
SRI is great at one specific job and useless at several others. The narrow case where it earns its keep.