In order to raise security awareness broadly in our teams (repetition is the mother of learning), I was guided to talk about OWASP 10 to them. Well, reading the cheat sheet, there were stuff in there that I ... just didn't get. So, I consulted our in-house Cloud Security Architect and had him explain things to me, a favour which I thought I'd pay forward. This article, then, will highlight some parts of the top 10 which either was hard to grasp, or where our CSA gave additional insights. A1 Injection Is the posted response still in the encoding you sent out (UTF-8)? Here, what we want to protect ourselves from, is for an attacker to force our poor web server to start spewing out logs due to unhandled exceptions, giving the attacker more information. So, before you even start processing the request - does it have the appropriate encoding? If not, it's appropriate to return 400 Bad Request. We can be unapologetically obtuse here, logging the error on the server side, but