Security

This is the final article in the Security for Developers series. It brings everything together into a single, actionable checklist you can use for every project. Bookmark this page and review it whenever you start a new project or prepare for a security review. How to Use This Checklist Each item is marked with a priority level: P0 (Critical): Do this before going to production. Skipping it means you are vulnerable. P1 (High): Do this within the first week of production. Important for security posture. P2 (Medium): Do this within the first month. Improves defense in depth. P3 (Low): Nice to have. Do when you have time. Authentication Checklist # Item Priority Details 1 Hash passwords with bcrypt or Argon2 P0 Never store plaintext. Use cost factor 12+ for bcrypt. 2 Enforce minimum password length of 8 characters P0 NIST recommends 8+ characters. Do not require special characters. 3 Use HTTPS for all authentication endpoints P0 Credentials in transit must be encrypted. 4 Implement account lockout after failed attempts P1 Lock after 5-10 failed attempts for 15-30 minutes. 5 Use JWT with short expiration (15-60 min) P1 Combine with refresh tokens for longer sessions. 6 Sign JWTs with RS256 or EdDSA (not HS256 for distributed) P1 Asymmetric signing prevents key sharing. 7 Store tokens in httpOnly cookies (not localStorage) P1 Prevents XSS from stealing tokens. 8 Implement refresh token rotation P1 Invalidate old refresh token on each use. 9 Validate JWT signature and expiration on every request P0 Never trust a token without validation. 10 Support multi-factor authentication (MFA) P2 TOTP or WebAuthn. SMS is better than nothing. 11 Check passwords against breached lists (Have I Been Pwned) P2 Reject passwords that appear in known breaches. 12 Log all authentication events P1 Successful and failed logins, password changes. Reference: Tutorial #2: Authentication ...

In the previous tutorial, you learned about security logging and monitoring. Now let us secure where your code runs. Docker containers are everywhere, but the default configuration is not secure enough for production. In this article, you will learn how to harden Docker containers, scan images for vulnerabilities, and manage secrets safely. Why Container Security Matters Containers provide isolation, but they are not virtual machines. By default: Containers run as root — if an attacker breaks out, they have root on the host Docker images contain hundreds of packages, many with known vulnerabilities Secrets are often baked into images or passed as environment variables (visible in process lists) Network ports are exposed by default — more attack surface A compromised container can lead to: ...

In the previous tutorial, you learned how to scan dependencies for vulnerabilities. But what happens when an attack is already in progress? Without proper logging and monitoring, you will not know until it is too late. In this article, you will learn what to log, what never to log, how to detect attacks, and how to set up meaningful alerts. The OWASP Top 10 lists “Security Logging and Monitoring Failures” as A09 because most breaches go undetected for months. ...

In the previous tutorial, you learned how to protect your application with security headers. But even if your code is perfect, a single vulnerable dependency can compromise everything. In this article, you will learn how to scan dependencies for vulnerabilities, prevent supply chain attacks, and keep your software secure. The Supply Chain Problem Modern software depends on hundreds of third-party packages. A typical Node.js project has 500-1500 dependencies. A Go project has 50-200. Each dependency is code written by someone else — and any of them could contain a vulnerability. ...

In the previous tutorial, you learned how to manage secrets safely. In this article, you will learn about HTTP security headers — simple response headers that tell browsers how to protect your users. Adding the right headers takes minutes and prevents entire categories of attacks. Why Security Headers Matter Security headers are instructions from your server to the browser. They say things like: “Only load scripts from my domain” (CSP) “Always use HTTPS” (HSTS) “Do not allow this page to be embedded in an iframe” (X-Frame-Options) Without these headers, browsers use permissive defaults that leave your users vulnerable. Adding headers is one of the highest-impact, lowest-effort security improvements you can make. ...

In the previous tutorial, you learned how to secure APIs with rate limiting and input validation. But the best API security means nothing if your secrets are hardcoded in source code. In this article, you will learn how to manage secrets properly — from .env files to production-grade vaults. The Problem: Secrets in Source Code Secrets are things like database passwords, API keys, JWT signing keys, and encryption keys. When developers hardcode them, bad things happen. ...

In the previous tutorial, you learned how CORS controls cross-origin access to your API. But CORS is just one layer. APIs are the most attacked surface in modern applications, and they need multiple defenses. In this article, you will learn rate limiting, input validation, and API authentication best practices. Why API Security Matters Every mobile app, SPA, and microservice communicates through APIs. If your API is insecure, everything built on top of it is insecure. ...

In the previous tutorial, you learned how CSRF attacks trick browsers into making unwanted requests. CORS is the browser’s mechanism for controlling which websites can make requests to your server. These two concepts are closely related, and developers often confuse them. What Is the Same-Origin Policy? Before we talk about CORS, you need to understand the same-origin policy. This is the browser’s most important security rule. Two URLs have the same origin if they share the same protocol, host, and port: ...

In the previous tutorial, you learned how HTTPS and TLS protect data in transit. But even with HTTPS, your application can be tricked into performing actions on behalf of a user — without the user knowing. This is called CSRF (Cross-Site Request Forgery). What Is CSRF? CSRF is an attack where a malicious website tricks your browser into sending a request to another website where you are already logged in. The browser automatically includes your cookies — so the server thinks the request came from you. ...

In the previous tutorial, you learned how to prevent SQL injection and XSS. Those attacks target your application logic. But there is another attack surface — the network. When data travels between your user’s browser and your server, anyone in between can read or modify it. Unless you use HTTPS. What is HTTPS? HTTPS is HTTP with encryption. It uses TLS (Transport Layer Security) to encrypt all data between the client and the server. ...