Security HeaderHTTP response headers that tell browsers how to behave securely when displaying your app. The most important ones are Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, and X-Content-Type-Options. Most AI-generated apps don't include these by default.SessionA temporary connection between a user and your app after they log in. Sessions are tracked with a session token (usually a cookie or JWT). Security requirements: sessions should expire after inactivity, and logging out should invalidate the session token server-side.SQL InjectionAn attack that inserts malicious SQL code into user input that gets executed by your database. Example: a search field that inserts the search term directly into a SQL query can be exploited to delete tables, extract all data, or bypass authentication. The fix: use parameterized queries or an ORM.SSL CertificateA digital certificate that enables HTTPS by proving your server is who it claims to be and enabling encryption. Modern hosting platforms (Vercel, Netlify, Fly.io) provision SSL certificates automatically. On custom domains with self-managed hosting, this requires manual setup.SSRF (Server-Side Request Forgery)An attack where an attacker tricks your server into making HTTP requests to internal services that should only be accessible from inside your infrastructure. Relevant if your app fetches URLs provided by users — an attacker might provide an internal IP address to access internal services.Supply Chain AttackAn attack targeting your app's dependencies (npm packages, CDN scripts) rather than your code directly. If an attacker compromises a package you use, malicious code runs in your app automatically on the next install or update. Keep dependencies updated and use Subresource Integrity (SRI) for external scripts.