STP security features: PortFast (skip STP for end devices — fast connection), BPDUGuard (disable port if BPDU received — prevents rogue switches), RootGuard (prevents root bridge election manipulation).
Attackers can inject superior BPDUs to become root bridge, enabling traffic interception. BPDUGuard prevents this on access ports. Enable PortFast + BPDUGuard on all access switch ports (not trunk ports). Enable RootGuard on uplink ports.