In the previous tutorials, we learned what Ktor is and how it compares to Spring Boot. Now it is time to build a real project. We will set up a proper Ktor application with the right project structure, plugins, error handling, and configuration. This is the foundation for everything we build in this series. Project Structure Here is the project structure we will create: ktor-tutorial/ ├── build.gradle.kts ├── settings.gradle.kts ├── gradle.properties ├── src/ │ ├── main/ │ │ ├── kotlin/ │ │ │ └── com/kemalcodes/ │ │ │ ├── Application.kt │ │ │ └── plugins/ │ │ │ ├── Routing.kt │ │ │ └── StatusPages.kt │ │ └── resources/ │ │ └── logback.xml │ └── test/ │ └── kotlin/ │ └── com/kemalcodes/ │ └── ApplicationTest.kt This follows the standard Kotlin/Gradle layout. Source code goes in src/main/kotlin, resources in src/main/resources, and tests in src/test/kotlin. ...

You decided to build a backend with Kotlin. Good choice. But now you face another decision: Ktor or Spring Boot? Both are great frameworks. Both support Kotlin. But they are very different in philosophy, design, and use cases. Let’s compare them honestly. The Big Picture Ktor is a lightweight, modular framework built by JetBrains. It is Kotlin-native, coroutine-based, and you add features as plugins. Spring Boot is a full-featured, batteries-included framework from VMware (now Broadcom). It started as a Java framework and added Kotlin support later. ...

You know Kotlin. You build Android apps, maybe KMP apps. But what about the backend? Every app needs a server. An API to fetch data from. A backend to store users, handle payments, send notifications. You could learn Node.js and Express. Or Python and FastAPI. Or Java and Spring Boot. Or you could use the Kotlin you already know — and build your backend with Ktor. What is Ktor? Ktor is a backend framework built by JetBrains — the same company that created Kotlin. It lets you build web servers, REST APIs, microservices, and web applications using Kotlin. ...

This is the final article in the Security for Developers series. It brings everything together into a single, actionable checklist you can use for every project. Bookmark this page and review it whenever you start a new project or prepare for a security review. How to Use This Checklist Each item is marked with a priority level: P0 (Critical): Do this before going to production. Skipping it means you are vulnerable. P1 (High): Do this within the first week of production. Important for security posture. P2 (Medium): Do this within the first month. Improves defense in depth. P3 (Low): Nice to have. Do when you have time. Authentication Checklist # Item Priority Details 1 Hash passwords with bcrypt or Argon2 P0 Never store plaintext. Use cost factor 12+ for bcrypt. 2 Enforce minimum password length of 8 characters P0 NIST recommends 8+ characters. Do not require special characters. 3 Use HTTPS for all authentication endpoints P0 Credentials in transit must be encrypted. 4 Implement account lockout after failed attempts P1 Lock after 5-10 failed attempts for 15-30 minutes. 5 Use JWT with short expiration (15-60 min) P1 Combine with refresh tokens for longer sessions. 6 Sign JWTs with RS256 or EdDSA (not HS256 for distributed) P1 Asymmetric signing prevents key sharing. 7 Store tokens in httpOnly cookies (not localStorage) P1 Prevents XSS from stealing tokens. 8 Implement refresh token rotation P1 Invalidate old refresh token on each use. 9 Validate JWT signature and expiration on every request P0 Never trust a token without validation. 10 Support multi-factor authentication (MFA) P2 TOTP or WebAuthn. SMS is better than nothing. 11 Check passwords against breached lists (Have I Been Pwned) P2 Reject passwords that appear in known breaches. 12 Log all authentication events P1 Successful and failed logins, password changes. Reference: Tutorial #2: Authentication ...

In the previous tutorial, you learned about security logging and monitoring. Now let us secure where your code runs. Docker containers are everywhere, but the default configuration is not secure enough for production. In this article, you will learn how to harden Docker containers, scan images for vulnerabilities, and manage secrets safely. Why Container Security Matters Containers provide isolation, but they are not virtual machines. By default: Containers run as root — if an attacker breaks out, they have root on the host Docker images contain hundreds of packages, many with known vulnerabilities Secrets are often baked into images or passed as environment variables (visible in process lists) Network ports are exposed by default — more attack surface A compromised container can lead to: ...

In the previous tutorial, you learned how to scan dependencies for vulnerabilities. But what happens when an attack is already in progress? Without proper logging and monitoring, you will not know until it is too late. In this article, you will learn what to log, what never to log, how to detect attacks, and how to set up meaningful alerts. The OWASP Top 10 lists “Security Logging and Monitoring Failures” as A09 because most breaches go undetected for months. ...

In the previous tutorial, you learned how to protect your application with security headers. But even if your code is perfect, a single vulnerable dependency can compromise everything. In this article, you will learn how to scan dependencies for vulnerabilities, prevent supply chain attacks, and keep your software secure. The Supply Chain Problem Modern software depends on hundreds of third-party packages. A typical Node.js project has 500-1500 dependencies. A Go project has 50-200. Each dependency is code written by someone else — and any of them could contain a vulnerability. ...

In the previous tutorial, you learned how to manage secrets safely. In this article, you will learn about HTTP security headers — simple response headers that tell browsers how to protect your users. Adding the right headers takes minutes and prevents entire categories of attacks. Why Security Headers Matter Security headers are instructions from your server to the browser. They say things like: “Only load scripts from my domain” (CSP) “Always use HTTPS” (HSTS) “Do not allow this page to be embedded in an iframe” (X-Frame-Options) Without these headers, browsers use permissive defaults that leave your users vulnerable. Adding headers is one of the highest-impact, lowest-effort security improvements you can make. ...

In the previous tutorial, you learned how to secure APIs with rate limiting and input validation. But the best API security means nothing if your secrets are hardcoded in source code. In this article, you will learn how to manage secrets properly — from .env files to production-grade vaults. The Problem: Secrets in Source Code Secrets are things like database passwords, API keys, JWT signing keys, and encryption keys. When developers hardcode them, bad things happen. ...