An API key is like a password that lets your app access external services (like OpenAI or Stripe). Public keys can be exposed; secret keys must never be shared or put in frontend code.

What is Row Level Security (RLS)?

Row Level Security is a database feature that controls which rows each user can see. Without RLS, anyone who can access your database can read all data. With RLS, users only see their own data.

What is SQL injection?

SQL injection is when an attacker puts database commands into input fields to trick your app into running them. It can expose all your data or let attackers modify your database.

Security Glossary: Plain-English Definitions

~ Reference guide - bookmark for later

TL;DR

This glossary explains common security terms in plain English. Bookmark it and refer back when you encounter unfamiliar terms in scan results, documentation, or tutorials. No technical background required.

CheckYourVibe's security glossary provides plain-English explanations of security concepts specifically tailored for non-technical founders and vibe coders. Understanding security vocabulary is half the battle. When you know what terms mean, scan results become actionable instead of intimidating, and documentation becomes useful instead of confusing.

These definitions are written at a non-technical level and verified by security professionals.

A C E H I J R S T X

A

API Key

A password-like string that lets your app access external services. Think of it as a key to someone else's house. They give you the key so you can use their stuff.

Example: Your OpenAI API key lets your app send requests to ChatGPT. If someone steals this key, they can use OpenAI on your account and you pay the bill.

Authentication

The process of verifying who someone is. It answers the question "Are you who you say you are?" Usually done with a username and password.

Example: When you log into your app, you're authenticating. The app checks your password to verify your identity.

Related: Authorization, Session

Authorization

The process of checking what someone is allowed to do. It answers the question "Are you allowed to do this?" Happens after authentication.

Example: You're logged in (authenticated), but can you delete other users' posts? Authorization decides. Regular users can't. Admins can.

C

A security feature that controls which websites can access your API. Browsers block requests from other websites unless your server explicitly allows them.

Example: If your API is at api.yoursite.com, CORS settings determine whether evilsite.com can call your API from their JavaScript.

Credential Stuffing

An attack where hackers try username/password combinations stolen from other sites. They're betting users reuse passwords across sites.

Example: If your password was leaked in a LinkedIn breach and you use the same password for your banking app, attackers might try it there.

CSP (Content Security Policy)

A security header that tells browsers which sources of content are allowed. Helps prevent XSS attacks by blocking unauthorized scripts.

Example: A CSP can say "only run JavaScript from my domain," which blocks injected malicious scripts from running.

E

Environment Variables

Settings stored outside your code, usually in a .env file. Used to keep secrets like API keys out of your source code.

Example: Instead of writing apiKey: "sk-abc123" in your code, you write apiKey: process.env.OPENAI_API_KEY and put the actual key in .env.

Related: API Key, Secret Key

Encryption

Scrambling data so only authorized people can read it. Like writing a letter in a secret code that only the recipient can decode.

Example: HTTPS encrypts data between your browser and a website. If someone intercepts it, they just see gibberish.

H

Hashing

Converting data into a fixed-length string that can't be reversed. Different from encryption because you can't "unhash" to get the original.

Example: Passwords should be hashed before storing. When you log in, your password is hashed and compared to the stored hash. Even if the database is stolen, attackers don't have actual passwords.

HTTPS

The secure version of HTTP. Encrypts all data sent between your browser and a website so others can't read it.

Example: On HTTP, someone on the same Wi-Fi could see your passwords. On HTTPS, they just see encrypted gibberish.

I

IDOR (Insecure Direct Object Reference)

A vulnerability where users can access data by guessing or changing IDs in URLs. The app doesn't check if they should have access.

Example: If /invoice/123 shows invoice #123, can a user change it to /invoice/124 and see someone else's invoice? That's IDOR.

Input Validation

Checking that user input matches what you expect before using it. Rejects obviously wrong or malicious data.

Example: If a field expects an email, validation checks for the @ symbol and valid format before accepting it.

J

JWT (JSON Web Token)

A compact way to securely transmit information between parties. Often used for authentication. Contains encoded (not encrypted) data.

Example: After you log in, the server gives you a JWT. You send it with each request to prove you're authenticated.

Related: Session, Authentication

R

Rate Limiting

Limiting how many requests a user can make in a time period. Prevents abuse and brute force attacks.

Example: Allowing only 5 login attempts per minute. After that, the user is temporarily blocked. Stops attackers from trying thousands of passwords.

RLS (Row Level Security)

A database feature that controls which rows each user can access. Essential for multi-user apps using Supabase or similar.

Example: With RLS, when User A queries the "notes" table, they only see their own notes, even though all users' notes are in the same table.

See our Supabase RLS guide

S

Secret Key

An API key that must never be exposed. Usually starts with "sk_" or contains "secret". If exposed, attackers can fully access that service.

Example: Stripe's sk_live_... key can make charges on your account. Never put it in frontend code where users can see it.

Session

A way to remember that a user is logged in between requests. Usually stored as a cookie. Has an expiration time.

Example: After you log in, a session is created. That's why you don't have to log in again on every page.

SQL Injection

An attack where malicious SQL code is inserted into input fields. Can read, modify, or delete database data.

Example: If a login form doesn't sanitize inputs, entering ' OR '1'='1 as a password might bypass authentication entirely.

Prevention: Use parameterized queries, never concatenate user input into SQL

T

Token

A string that represents authorization or identity. Used instead of sending passwords with every request.

Example: After logging in, you receive an access token. Send this token with requests instead of your password.

Related: JWT, API Key

and run code in other users' browsers.

Prevention: Always escape/sanitize user input before displaying it

Bookmark this page. Come back whenever you encounter an unfamiliar term in scan results, documentation, or tutorials. Understanding the vocabulary is half the battle.