Security, Explained Plainly
Practical write-ups on the issues CloviScan finds most often — what they are, why they matter, and how to fix them. Written for builders, not just security specialists.
The leak isn't in your HTML — it's in the JSON you ship
Why header scanners miss the real exposure, and how to audit the rendered network responses your app actually delivers to the browser.
Guide · HeadersSecurity headers that actually matter (and the ones that don't)
CSP, HSTS, X-Frame-Options and friends — what each one protects against, and a sane order to add them in.
Guide · WordPressHardening WordPress without a security plugin
The handful of exposures that account for most WordPress incidents: wp-config.php, outdated plugins, exposed admin, and weak headers.
Hardcoded API keys: how they leak and how to stop it
Why secrets end up in source and version control, how scanners find them, and how to move them to environment variables safely.
Guide · ServerDangerous server defaults that ship to production
SSH root login, open database ports, EOL runtimes — the configuration gaps a perfect codebase can't save you from.
More write-ups are published here as we go. We don't pad this page with placeholder posts or fake counts.