The alphabet soup decoder

API Application Programming Interface

An API is how your frontend asks the backend for things: orders, users, invoices, admin powers it definitely should not have. Blinkof looks for exposed API routes, leaked JSON, and endpoints that answer too helpfully.

Vibe check: if /api/users returns everyone, your app is oversharing like a drunk founder at 2 a.m.

a11y Accessibility

"Accessibility" has 13 letters, so people squeezed it into a11y. It covers whether people using keyboards, screen readers, zoom, or assistive tech can actually use the app.

Blinkof checks basics because a button without a label is not minimalist. It is just hiding.

BOLA Broken Object Level Authorization

BOLA is the API-security name for object-level access bugs: "Can Alice read Bob's invoice by asking for Bob's invoice ID?" It overlaps heavily with IDOR.

If your app says "logged in is good enough," BOLA says "thank you for the data buffet."

BFLA Broken Function Level Authorization

BFLA is when a normal user can call privileged functions: admin exports, role edits, billing adjustments, impersonation, internal dashboards, and other "surely nobody will try this URL" classics.

Blinkof probes this gently with low-privilege GET requests. We knock on the admin door; we do not move in.

CCPA California Consumer Privacy Act

California privacy law. It gives people rights over personal data, including deletion and opt-out rights in many contexts.

If your app has users in California, "we are tiny" is not a privacy policy.

CDN Content Delivery Network

A CDN serves assets close to users. Great for speed. Less great if authenticated pages are cached like public brochures.

Cache rules are tiny until they serve Account A's dashboard to Account B.

CI Continuous Integration

CI runs checks on every change or deploy. Tests, builds, lint, and, if you are feeling responsible, a Blinkof scan.

Future-you deserves more than "I clicked around and it seemed fine."

CLS Cumulative Layout Shift

A Core Web Vitals metric for how much the page jumps around while loading. Low CLS means buttons stay where users expect them.

A checkout button that runs away is not a growth experiment.

CORS Cross-Origin Resource Sharing

CORS tells browsers which other websites may read responses from your site. A sloppy CORS setup can let random sites read logged-in API data from your users' browsers.

CORS is not "make the red error go away." It is a front door policy with punctuation.

CSP Content Security Policy

CSP is a browser-enforced allowlist for scripts, frames, images, and connections. It helps limit damage from XSS and supply-chain weirdness.

A good CSP is a nightclub bouncer for JavaScript. A bad one lets in anyone wearing *.

CSRF Cross-Site Request Forgery

CSRF tricks a logged-in user's browser into submitting an action they did not intend, like changing an email or deleting something.

Modern SameSite cookies help, but "probably fine" is still not a CSRF strategy.

DB Database

The place your app stores users, orders, invoices, sessions, waitlist emails, and every "we'll clean this up later" row that becomes production history.

Blinkof checks for public DB access because "the frontend needs it" is not a permission model.

DKIM DomainKeys Identified Mail

DKIM signs outgoing email so receivers can verify it really came from your domain and was not edited on the way.

Without DKIM, your transactional email has fake-moustache energy.

DMARC Domain-based Message Authentication, Reporting, and Conformance

DMARC tells mail providers what to do when SPF or DKIM checks fail. It also gives you reports about who is sending mail as your domain.

It is how your domain says, "If this email is pretending to be me, throw it in the bin."

DNS Domain Name System

DNS maps names like example.com to the servers and mail providers behind them. It also stores SPF, DKIM, DMARC, and verification records.

DNS is the internet's address book, maintained by goblins and TTLs.

DPA Data Processing Agreement

A DPA is a contract covering how a vendor processes personal data for you. Common when you handle EU data or sell to serious companies.

Not fun. Often necessary. Like flossing for legal.

DSAR Data Subject Access Request

A request from a person asking what data you have about them, or asking you to delete, correct, or export it.

If your deletion plan is "grep production and hope," this acronym is coming for you.

GDPR General Data Protection Regulation

EU privacy law. If you collect personal data, GDPR expects things like a privacy notice, lawful basis, deletion rights, data minimization, and processor care.

Collecting "just an email" still counts. The law did not add a "vibe-coded waitlist" exemption.

HSTS HTTP Strict Transport Security

HSTS tells browsers to use HTTPS for your site automatically, even if someone tries plain HTTP.

It is the browser remembering "we do not go down that dark alley anymore."

HTML HyperText Markup Language

The structure of web pages. Buttons, forms, headings, links, metadata, and all the little tags AI sometimes uses like confetti.

If the HTML is chaotic, accessibility and SEO inherit the chaos.

HTTPS HTTP Secure

HTTPS encrypts traffic between browser and site using TLS. It protects logins, cookies, form submissions, and user trust.

No HTTPS on a product site is like putting the login form on a postcard.

i18n Internationalization

Internationalization means designing the app so it can handle different languages, currencies, date formats, plural rules, address formats, and right-to-left text without a rewrite.

The 18 is the number of letters between "i" and "n". Developers saw a long word and immediately compressed it, because apparently bytes were emotionally expensive.

IDOR Insecure Direct Object Reference

IDOR happens when changing an ID in a URL or API call lets one user access another user's object: invoice, project, booking, profile, file.

This is why Blinkof's deep scan tries cross-account isolation on verified apps. For more depth, read What is IDOR?

INP Interaction to Next Paint

A Core Web Vitals metric for how quickly the page visibly responds after user interaction.

If clicking "Sign up" feels like sending a message in a bottle, INP will know.

JWT JSON Web Token

A signed token often used for sessions or API authentication. Useful, but dangerous when stored badly, trusted too broadly, or never expired.

A JWT is not magic. It is a permission slip with cryptographic stationery.

LCP Largest Contentful Paint

A Core Web Vitals metric for when the main visible content finishes loading.

If your hero image arrives after the user's patience leaves, LCP is the receipt.

LLM Large Language Model

The AI model generating code, copy, summaries, and occasionally confident nonsense. Useful teammate, unreliable witness.

Blinkof assumes LLM-built apps need testing because autocomplete is not QA.

MCP Model Context Protocol

MCP lets AI agents discover and call tools. Remote MCP endpoints can expose tool names like run_sql, delete_user, or exec if not protected.

Blinkof checks public MCP metadata. Tool lists are not secrets exactly, but they are a menu. Attackers love menus.

MFA Multi-Factor Authentication

MFA requires another proof besides password: app code, security key, passkey, or similar.

Passwords are reusable toothbrushes. MFA is not perfect, but it is less cursed.

MX Mail Exchange

MX records tell the internet where to deliver email for your domain.

No MX, no inbox. Your verification emails are now performance art.

OAuth Open Authorization

OAuth lets users sign in or grant access through providers like Google or GitHub without sharing passwords with your app.

Great when configured well. Hilarious when the callback URL is "whatever works locally."

OG Open Graph

OG tags control how your link previews look on social platforms and chat apps.

No OG tags means your launch link may preview like a beige rectangle with commitment issues.

OWASP Open Worldwide Application Security Project

OWASP publishes widely used security guidance, including the OWASP Top 10 and OWASP API Security Top 10.

When Blinkof says "OWASP," it means "this is not just us being dramatic."

PII Personally Identifiable Information

Data that can identify a person: email, phone, name, address, account ID, IP address in many contexts, and combinations of clues.

Your "test data" becomes PII the moment it is about real people. Annoying, but true.

RBAC Role-Based Access Control

RBAC grants permissions by role: user, admin, owner, support, billing manager, and so on.

RBAC is good. RBAC checked only in the UI is decorative.

RLS Row Level Security

Database policies that decide which rows a user can read or write. Supabase apps especially rely on RLS to stop "authenticated users can read everything" disasters.

RLS is the lock on each row. Turning it off is not "moving fast"; it is "moving everyone's data into the hallway."

SEO Search Engine Optimization

SEO helps search engines understand, index, and rank your pages. Titles, descriptions, canonical URLs, sitemap, indexability, and useful content all matter.

If your launch page is accidentally noindex, Google is not ignoring you. You asked it to.

SPF Sender Policy Framework

SPF lists which servers are allowed to send email for your domain.

Without SPF, every mailbox provider squints at you suspiciously. Fair.

SRI Subresource Integrity

SRI lets browsers verify that a third-party script or stylesheet matches the expected cryptographic hash.

It is a tamper seal for borrowed JavaScript. Borrowed JavaScript deserves suspicion.

SSE Server-Sent Events

SSE is a one-way stream from server to browser. Some web MCP transports use it.

Like WebSockets' calmer cousin who still needs authentication.

SSO Single Sign-On

SSO lets users authenticate through a central identity provider, often via OAuth, OIDC, or SAML.

Amazing for teams. Mildly spicy for automated scanners if there is no test login path.

SSRF Server-Side Request Forgery

SSRF happens when attackers make your server fetch internal or sensitive URLs on their behalf.

Any "paste a URL and we fetch it" feature needs guardrails, unless your cloud metadata service wants visitors.

TLS Transport Layer Security

TLS is the encryption protocol behind HTTPS.

The padlock is not vibes. It is TLS doing chores.

UX User Experience

UX is how the product feels to use: clarity, flow, friction, trust, empty states, and whether a real person can complete the job.

A secure app that nobody can finish signing up for is still a bug with better posture.

WAF Web Application Firewall

A WAF filters suspicious web traffic before it reaches your app.

Helpful guard dog. Not a substitute for locking the doors inside the house.

WCAG Web Content Accessibility Guidelines

WCAG is the main accessibility standard for web content.

If your form only works for a mouse, WCAG has entered the chat.

XSS Cross-Site Scripting

XSS lets attacker-controlled JavaScript run in another user's browser. It often starts with unsafe rendering of comments, names, search terms, or form input.

Blinkof puts harmless hostile input into forms to see whether your app reflects it back unsafely. The payload is fake. The problem would be real.