Traces web cache deception from Omer Gil's 2017 PayPal disclosure through the 2020 and 2022 measurement studies to the 2024 delimiter research, and the defenses that actually close the cache-versus-origin gap.
Traces the same-origin policy from Netscape 1995 to RFC 6454, then how CORS relaxes it through preflights and Access-Control headers, the misconfigurations that break it, and where the model stands in 2026.
A primary-source reference for the cookie security attributes: what HttpOnly, Secure, SameSite, Domain, and Path each enforce, why the __Host-/__Secure- prefixes exist, and the gaps each one leaves behind.
A reference on CSP: the directive and source-list model, nonces, hashes and strict-dynamic, report-only mode, the Google study that showed most real-world policies were bypassable, and why retrofitting a strict policy is so painful.
Traces how the integrity attribute verifies a third-party script against a cryptographic hash, what a compromised CDN it stops, the dynamic-resource gap it cannot close, and why adoption stayed in single digits.
A single-incident deep dive into the June 2024 Polyfill.io attack: the February domain sale, the conditional payload injected into hundreds of thousands of sites, the evasion logic that hid it, and the takedown that followed.
Two npm supply-chain cases dissected: the 2018 event-stream maintainer handoff that smuggled a Copay wallet stealer through flatmap-stream, and the 2022 node-ipc protestware that wiped files in Russia and Belarus.
A single-incident deep dive into CVE-2024-3094: the multi-year social engineering of the xz maintainer, the obfuscated build-time backdoor planted into sshd, and the 500-millisecond timing anomaly that exposed it.
How Alex Birsan's 2021 research turned the name of a private package into remote code execution at 35 companies, why installers prefer the higher public version, and the scoping defenses that close the gap.
Traces how injected JavaScript skimmers lift card data from checkout pages, what the British Airways and Newegg code actually did, the third-party-script vectors, and the SRI, CSP, and PCI DSS 4.0 defenses.
Traces how a browser or plugin bug turned a page visit into code execution: the redirect chain, landing-page fingerprinting, the Flash and Java exploit-kit economy of 2010-2016, and the decline as browsers and Adobe killed the attack surface.
A primary-source history of the exploit-kit era: the fingerprint-then-exploit flow, the rental economy behind Angler, Nuclear, RIG and Magnitude, the 2016 Angler takedown, and the collapse that followed Flash's death.
How traffic distribution systems gate and route victims through the malvertising chain: Keitaro-style filtering, server- and client-side cloaking, malicious ad injection, and the fingerprinting that hides payloads from researchers.
Traces the anti-analysis layer inside modern phishing kits: how IP, user-agent, and referrer checks serve a benign decoy to scanners while showing the credential form to victims, the anti-bot-as-a-service market, and how anti-phishing crawlers crawl back.
Traces the WAF from network packet filters that could not see HTTP, through Sanctum AppShield and Ivan Ristic's ModSecurity, the OWASP Core Rule Set, PCI DSS pushing adoption, to cloud WAFs and machine-learning attack scoring.
Two case studies in how browsers strip a certificate authority of trust: DigiNotar's 2011 breach and bankruptcy, and Symantec's 2017 mis-issuance saga and Google's staged distrust.