Tags

Security

Security

0 lessons
1 code snippet
3 system designs
10 community items

security

System Design

3 articles
System Design

Authentication & Authorization (OAuth2, JWT, RBAC)

Authentication answers 'who are you?'. Authorization answers 'what are you allowed to do?'. Most systems get both wrong in subtle ways: rolling their own crypto, treating JWTs as a session store, copying RBAC into every service, or never thinking about how to revoke a leaked credential. This lesson covers the standard building blocks: password storage with adaptive hashing, session vs token authentication, OAuth2 and OIDC flows, JWTs and their honest trade-offs, RBAC vs ABAC vs ReBAC, multi-tenant authorization at scale, machine-to-machine auth (API keys, mTLS, workload identity), and the operational concerns (key rotation, revocation, audit). The goal is to leave you able to design and defend the auth architecture for any system, from a single product to a federated multi-tenant platform.

authentication
authorization
oauth2
jwt
rbac
system-design
advanced
premium
security

295

7

Medium
System Design
Premium

Encryption at Rest/Transit & Data Privacy (GDPR)

Encryption protects data from unauthorized access; privacy regulations (GDPR, CCPA, HIPAA, PCI-DSS) determine what data you may collect, how you must protect it, who can see it, and how you must respond to user requests. The two intersect: regulations mandate encryption in many cases, and encryption is the technical foundation for most privacy controls. This lesson covers the standard primitives (TLS 1.3 for transit, AES-GCM and envelope encryption for rest), key management (KMS, HSM, key rotation), application-level encryption (per-tenant keys, field-level encryption, deterministic encryption for searchability), the privacy-engineering layer (data classification, minimization, retention, right-to-be-forgotten), and the operational realities (key compromise, crypto-shredding, BYOK, audit logs). The goal is to leave you able to design a system that is encryption-correct, privacy-compliant, and operationally honest about its trade-offs.

encryption
data-privacy
gdpr
kms
envelope-encryption
system-design
advanced
premium
security

947

12

Hard
System Design
Premium

DDoS Protection, WAF & Security Best Practices

DDoS attacks try to exhaust your bandwidth, your TCP stack, your application capacity, or your downstream dependencies. A WAF (web application firewall) tries to block exploit traffic before it reaches your code. Together with rate limiting, bot management, anti-abuse tooling, and a hardened application layer, they form the defensive perimeter that real production systems live behind. This lesson covers the layered defense: edge / CDN scrubbing for L3/L4 floods, rate limiting and bot detection for L7 abuse, WAF rules for OWASP-class exploits, the OWASP Top 10 with concrete mitigations, secure development practices (input validation, output encoding, secrets management, dependency hygiene), incident response, and the operational realities of running this stack (false positives, vendor selection, escalation, post-mortems). The goal is to leave you able to design and defend the security perimeter for any user-facing system.

ddos
waf
security
rate-limiting
owasp
system-design
advanced
premium

498

12

Hard

Community

10 items
Code Snippet

Verify a JWT Without a JWT Library

How I verify HS256 JSON Web Tokens with the Web Crypto API and zero npm dependencies. Decodes the segments, checks the signature in constant time, and refuses to trust `alg: none`.

JavaScript
jwt
authentication
security
hashing

457

3

4.1 (9)

Apr 30, 2026

by @chidiweber

Article

RBAC vs ABAC vs ReBAC, Explained

RBAC, ABAC, and ReBAC are different shapes for different rules, not stages of maturity. Pick by the shape of your access policy, and most real systems end up a thoughtful hybrid.

rbac
authorization
security
system-design
api-design

445

2

4.0 (9)

Apr 9, 2026

by @lucasmoreau

Question Bundle
Free

TLS Handshake and Certificate Chain Quiz

A 4-question reference set on TLS 1.3: the handshake flights, certificate chain validation, SNI privacy, and mTLS rotation. Covers the practical knobs that show up at staff-level networking interviews.

Python
tls
security
networking
interview-prep

240

8

4.3 (14)

Apr 3, 2026

by CodeSnatch

Code Snippet

A Request/Response Logger That Does Not Leak Secrets

The redact-by-key logger I add to every Node service before it touches production logs. Catches headers, JWTs, card numbers, and Stripe keys without paying for a SIEM scrubber.

TypeScript
logging
security
error-handling
code-template

434

14

4.4 (15)

Mar 6, 2026

by @nadiaali

Code Snippet

A Prompt Template With Safe Interpolation

After a customer email leaked into a system prompt and changed the model's persona, I built a 30-line template that quotes user input, fences code, and refuses unknown placeholders. Use it before every LLM call.

Python
openai
security
code-template
error-handling

1k

10

4.4 (15)

Feb 4, 2026

by @elisehuang

Article

JWT vs Sessions and When Stateless Bites Back

Sessions are the right default for first-party web apps. JWTs make sense at federation boundaries. Stateless is a property of where state lives, not whether it exists.

jwt
authentication
security
session-affinity
backend

198

3

4.1 (10)

Feb 2, 2026

by @ninarossi

Article

OAuth2 and OpenID Connect: The Flows That Actually Matter

OAuth 2.0 is delegation. OpenID Connect is identity. Most bugs come from confusing the two. The four flows that matter, the eight checks I review, and what to never roll yourself.

oauth2
authentication
authorization
security
jwt

579

6

4.2 (9)

Jan 2, 2026

by @arjunpatel

Article

Webhook Design: Retries, Signatures, and Replay Protection

Sign requests. Dedupe by event id. Apply idempotently by resource id. Ack fast, process async. Tolerate out-of-order. Five concerns that turn a webhook into critical infrastructure.

webhooks
security
reliability
idempotency
api-design

1k

31

4.3 (11)

Dec 29, 2025

by @oliviadelgado

Code Snippet

Signed URL Generator With HMAC

The 60-line HMAC-signed URL helper I use for download links and webhook callbacks. Stdlib only, constant-time verification, expiry baked in, and no S3 dependency to debug at 2 a.m.

Python
presigned-urls
security
hashing
utility

604

8

4.5 (9)

Dec 15, 2025

by @samirakumar

Code Snippet

Webhook Signature Verifier With Replay Protection

How I verify Stripe-style webhook signatures and stop someone from re-POSTing yesterday's `invoice.paid`. Stdlib HMAC, a tolerance window, and an idempotency cache that lives in any Redis-shaped store.

Python
webhooks
security
authentication
hashing

594

10

4.2 (10)

Nov 28, 2025

by @averyperry