Security
security
System Design
Authentication & Authorization (OAuth2, JWT, RBAC)
Authentication answers 'who are you?'. Authorization answers 'what are you allowed to do?'. Most systems get both wrong in subtle ways: rolling their own crypto, treating JWTs as a session store, copying RBAC into every service, or never thinking about how to revoke a leaked credential. This lesson covers the standard building blocks: password storage with adaptive hashing, session vs token authentication, OAuth2 and OIDC flows, JWTs and their honest trade-offs, RBAC vs ABAC vs ReBAC, multi-tenant authorization at scale, machine-to-machine auth (API keys, mTLS, workload identity), and the operational concerns (key rotation, revocation, audit). The goal is to leave you able to design and defend the auth architecture for any system, from a single product to a federated multi-tenant platform.
Encryption at Rest/Transit & Data Privacy (GDPR)
Encryption protects data from unauthorized access; privacy regulations (GDPR, CCPA, HIPAA, PCI-DSS) determine what data you may collect, how you must protect it, who can see it, and how you must respond to user requests. The two intersect: regulations mandate encryption in many cases, and encryption is the technical foundation for most privacy controls. This lesson covers the standard primitives (TLS 1.3 for transit, AES-GCM and envelope encryption for rest), key management (KMS, HSM, key rotation), application-level encryption (per-tenant keys, field-level encryption, deterministic encryption for searchability), the privacy-engineering layer (data classification, minimization, retention, right-to-be-forgotten), and the operational realities (key compromise, crypto-shredding, BYOK, audit logs). The goal is to leave you able to design a system that is encryption-correct, privacy-compliant, and operationally honest about its trade-offs.
DDoS Protection, WAF & Security Best Practices
DDoS attacks try to exhaust your bandwidth, your TCP stack, your application capacity, or your downstream dependencies. A WAF (web application firewall) tries to block exploit traffic before it reaches your code. Together with rate limiting, bot management, anti-abuse tooling, and a hardened application layer, they form the defensive perimeter that real production systems live behind. This lesson covers the layered defense: edge / CDN scrubbing for L3/L4 floods, rate limiting and bot detection for L7 abuse, WAF rules for OWASP-class exploits, the OWASP Top 10 with concrete mitigations, secure development practices (input validation, output encoding, secrets management, dependency hygiene), incident response, and the operational realities of running this stack (false positives, vendor selection, escalation, post-mortems). The goal is to leave you able to design and defend the security perimeter for any user-facing system.
Community
Verify a JWT Without a JWT Library
How I verify HS256 JSON Web Tokens with the Web Crypto API and zero npm dependencies. Decodes the segments, checks the signature in constant time, and refuses to trust `alg: none`.
RBAC vs ABAC vs ReBAC, Explained
RBAC, ABAC, and ReBAC are different shapes for different rules, not stages of maturity. Pick by the shape of your access policy, and most real systems end up a thoughtful hybrid.
TLS Handshake and Certificate Chain Quiz
A 4-question reference set on TLS 1.3: the handshake flights, certificate chain validation, SNI privacy, and mTLS rotation. Covers the practical knobs that show up at staff-level networking interviews.
A Request/Response Logger That Does Not Leak Secrets
The redact-by-key logger I add to every Node service before it touches production logs. Catches headers, JWTs, card numbers, and Stripe keys without paying for a SIEM scrubber.
A Prompt Template With Safe Interpolation
After a customer email leaked into a system prompt and changed the model's persona, I built a 30-line template that quotes user input, fences code, and refuses unknown placeholders. Use it before every LLM call.
JWT vs Sessions and When Stateless Bites Back
Sessions are the right default for first-party web apps. JWTs make sense at federation boundaries. Stateless is a property of where state lives, not whether it exists.
OAuth2 and OpenID Connect: The Flows That Actually Matter
OAuth 2.0 is delegation. OpenID Connect is identity. Most bugs come from confusing the two. The four flows that matter, the eight checks I review, and what to never roll yourself.
Webhook Design: Retries, Signatures, and Replay Protection
Sign requests. Dedupe by event id. Apply idempotently by resource id. Ack fast, process async. Tolerate out-of-order. Five concerns that turn a webhook into critical infrastructure.
Signed URL Generator With HMAC
The 60-line HMAC-signed URL helper I use for download links and webhook callbacks. Stdlib only, constant-time verification, expiry baked in, and no S3 dependency to debug at 2 a.m.
Webhook Signature Verifier With Replay Protection
How I verify Stripe-style webhook signatures and stop someone from re-POSTing yesterday's `invoice.paid`. Stdlib HMAC, a tolerance window, and an idempotency cache that lives in any Redis-shaped store.
