Security

Authentication between microservices is one of those things that seems simple until you actually try to implement it. We went through 4 different patterns over 18 months. Each one solved some problems but created new ones. Here’s what we learned, and what we eventually settled on. The problem You have 15 microservices. API Gateway authenticates users with JWT. But how do internal services verify requests from each other? Service A needs to call Service B. Service B needs to know: ...

Found our AWS access keys in a public GitHub repo last month. Fun times. Here’s how it happened and what we actually did to prevent it. How we leaked them Developer needed to add an API key to a Kubernetes service. Did this: # deployment.yaml - DON'T DO THIS apiVersion: apps/v1 kind: Deployment metadata: name: api-service spec: template: spec: containers: - name: api env: - name: AWS_ACCESS_KEY value: "AKIAIOSFODNN7EXAMPLE" # 🚨 Plaintext in git! - name: AWS_SECRET_KEY value: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" Committed it. Pushed it. Public repo. Keys were active for 6 hours before AWS alerted us to unusual activity. ...

Docker has become the standard for containerization, but running containers in production requires following best practices for security, performance, and reliability. This guide covers essential practices for production Docker deployments. Image optimization Use multi-stage builds Reduce final image size by using multi-stage builds: # Stage 1: Build FROM node:18-alpine AS builder WORKDIR /app COPY package*.json ./ RUN npm ci COPY . . RUN npm run build # Stage 2: Runtime FROM node:18-alpine WORKDIR /app RUN addgroup -g 1001 -S nodejs && \ adduser -S nodejs -u 1001 COPY --from=builder --chown=nodejs:nodejs /app/dist ./dist COPY --from=builder --chown=nodejs:nodejs /app/node_modules ./node_modules COPY --chown=nodejs:nodejs package*.json ./ USER nodejs EXPOSE 3000 CMD ["node", "dist/index.js"] Use minimal base images Prefer Alpine or distroless images: ...

A critical security vulnerability has been discovered in React’s Server-Side Rendering (SSR) Server Action protocol that could lead to Remote Code Execution (RCE) on the server. The Vulnerability The issue lies in how React handles Server Actions in SSR environments. When improperly configured, the Server Action protocol can allow attackers to execute arbitrary code on the server. How It Works Server Actions in React allow you to call server-side functions directly from client components: ...

Identity & access Enforce strong auth (OIDC/JWT); short-lived tokens + refresh; audience/issuer checks. Fine-grained authz (RBAC/ABAC); deny-by-default; rate-limit per identity. Input & data Validate/normalize input; reject oversized bodies; JSON schema where possible. Output encode; avoid reflecting raw user data; paginate results. Store secrets in vault/KMS; rotate keys; never log secrets/tokens. Transport & headers TLS everywhere; HSTS; modern ciphers. Security headers: Content-Security-Policy, X-Content-Type-Options=nosniff, X-Frame-Options=DENY, Referrer-Policy. Abuse protection Rate limit + burst control; CAPTCHA/step-up for sensitive actions. Bot detection where relevant; geo/IP allow/deny for admin surfaces. Observability Structured audit logs with identity, action, resource, result; avoid PII spill. Alerts on auth failures, unusual rate spikes, and 5xx anomalies. Checklist AuthZ enforced; least privilege. Input validated; size limits set. TLS + security headers applied. Rate limits + abuse controls configured. Secrets vaulted and rotated.

Static (SAST) Run linters/semgrep/bandit/gosec/spotbugs per language; fail on high severity. Baseline to reduce noise; allow sarif upload to code host for inline review. Secret scanning in every push; block commits with keys. Dynamic (DAST) Stage environment with prod-like config; run zap/owasp/amass scopes carefully. Define allowlist targets; time-bounded scans; throttle to avoid DoS. Pipeline hygiene Shift-left: PR checks for fast SAST; nightly deeper scans. Artifacts stored with build SHA; track findings trend. Break-glass only with approvals; keep rules versioned. Checklist SAST/secret scans on push + PR. DAST on staging with scoped targets. SARIF/uploaded results visible to devs. Findings triaged with SLA.

Security is crucial in web development. Here are essential security practices to protect your applications. 1. Authentication & Authorization Strong Password Policies // Enforce strong passwords const passwordRegex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$/; // Hash passwords (never store plaintext) const hashedPassword = await bcrypt.hash(password, 10); JWT Best Practices // Use short expiration times const token = jwt.sign( { userId: user.id }, process.env.JWT_SECRET, { expiresIn: '15m' } ); // Implement refresh tokens // Store tokens securely (httpOnly cookies) 2. Input Validation Server-Side Validation // Always validate on server const schema = z.object({ email: z.string().email(), password: z.string().min(8), age: z.number().min(18).max(120) }); const validated = schema.parse(req.body); Sanitize Inputs // Prevent XSS const sanitized = DOMPurify.sanitize(userInput); // Prevent SQL Injection (use parameterized queries) db.query('SELECT * FROM users WHERE id = ?', [userId]); 3. HTTPS & SSL/TLS // Always use HTTPS in production // Redirect HTTP to HTTPS // Use HSTS headers app.use((req, res, next) => { if (!req.secure && process.env.NODE_ENV === 'production') { return res.redirect(`https://${req.headers.host}${req.url}`); } next(); }); 4. CORS Configuration // Configure CORS properly app.use(cors({ origin: process.env.ALLOWED_ORIGINS.split(','), credentials: true, methods: ['GET', 'POST', 'PUT', 'DELETE'], allowedHeaders: ['Content-Type', 'Authorization'] })); 5. Rate Limiting // Prevent brute force attacks const rateLimit = require('express-rate-limit'); const limiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 5 // limit each IP to 5 requests per windowMs }); app.use('/api/login', limiter); 6. SQL Injection Prevention // Always use parameterized queries // Bad db.query(`SELECT * FROM users WHERE email = '${email}'`); // Good db.query('SELECT * FROM users WHERE email = ?', [email]); 7. XSS Prevention // Escape user input const escapeHtml = (text) => { const map = { '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#039;' }; return text.replace(/[&<>"']/g, m => map[m]); }; // Use Content Security Policy app.use((req, res, next) => { res.setHeader('Content-Security-Policy', "default-src 'self'; script-src 'self'"); next(); }); 8. CSRF Protection // Use CSRF tokens const csrf = require('csurf'); const csrfProtection = csrf({ cookie: true }); app.use(csrfProtection); app.get('/form', (req, res) => { res.render('form', { csrfToken: req.csrfToken() }); }); 9. Security Headers // Set security headers app.use((req, res, next) => { res.setHeader('X-Content-Type-Options', 'nosniff'); res.setHeader('X-Frame-Options', 'DENY'); res.setHeader('X-XSS-Protection', '1; mode=block'); res.setHeader('Strict-Transport-Security', 'max-age=31536000'); next(); }); 10. Dependency Security # Regularly update dependencies npm audit npm audit fix # Use tools like Snyk, Dependabot 11. Error Handling // Don't expose sensitive information app.use((err, req, res, next) => { if (process.env.NODE_ENV === 'production') { res.status(500).json({ error: 'Internal server error' }); } else { res.status(500).json({ error: err.message }); } }); 12. Logging & Monitoring // Log security events logger.warn('Failed login attempt', { ip: req.ip, email: req.body.email, timestamp: new Date() }); // Monitor for suspicious activity Best Practices Summary Strong authentication Input validation & sanitization Use HTTPS Configure CORS properly Implement rate limiting Prevent SQL injection Prevent XSS CSRF protection Security headers Keep dependencies updated Proper error handling Monitor security events Conclusion Security requires: ...