#Security
— 14 posts
Security Attacks Every Engineer Should Know: A Field Guide to the Techniques Attackers Actually Use
A structural, named-technique-by-named-technique walkthrough of the attacks a modern web application has to defend against — injection, authentication flaws, XSS, CSRF, IDOR, SSRF, deserialization, race conditions, supply-chain attacks, and more — with how each works and what to do about it.
OWASP Top 10 in a Real Node.js & Next.js App — Before/After
The 2021 OWASP Top 10, but with actual vulnerable Node.js and Next.js snippets and the fixes I ship in production. Concrete examples beat awareness posters.
JWT for Service-to-Service Authentication : Server-to-Server Authentication in Microservices
A comprehensive implementation guide to JWT for service-to-service authentication — covering signed JWTs between services, asymmetric keys (RS256/ES256) for distributed verification, token propagation patterns, and Node.js implementation.
Service Mesh Identity (SPIFFE/SPIRE) : Server-to-Server Authentication in Microservices
A comprehensive guide to SPIFFE/SPIRE for workload identity in microservices — covering SPIFFE ID format, SVIDs, SPIRE architecture and components, Istio/Envoy integration, and zero-trust networking patterns.
OAuth 2.0 Client Credentials Grant : Server-to-Server Authentication in Microservices
A comprehensive implementation guide to OAuth 2.0 Client Credentials Grant for machine-to-machine authentication — covering the client credentials flow, token caching and refresh, scope and audience validation, and Node.js implementation with multiple identity providers.
API Keys & HMAC Signatures : Server-to-Server Authentication in Microservices
A comprehensive implementation guide to API key and HMAC signature authentication — covering API key generation and storage, HMAC request signing inspired by AWS Signature V4, Node.js implementation, rate limiting, and key rotation strategies.
Mutual TLS (mTLS) Authentication : Server-to-Server Authentication in Microservices
A comprehensive implementation guide to Mutual TLS (mTLS) for service-to-service authentication — covering certificate chains, CA setup, certificate rotation, Node.js and Go implementations, Kubernetes cert-manager integration, and production patterns.
Server-to-Server Authentication in Microservices
A high-level comparison of five authentication patterns for service-to-service communication — mTLS, API Keys & HMAC, OAuth 2.0 Client Credentials, Service Mesh Identity (SPIFFE/SPIRE), and JWT — covering when to use each, trade-offs, and real-world examples.
Multi-Factor Authentication (MFA) : Authentication Strategies for Modern Web Applications
A comprehensive implementation guide to multi-factor authentication — covering TOTP setup, backup codes, SMS verification, hardware security keys, adaptive MFA, and recovery strategies.
Passwordless Authentication : Authentication Strategies for Modern Web Applications
A comprehensive implementation guide to passwordless authentication — covering magic email links, SMS OTP, WebAuthn/FIDO2 passkeys, implementation patterns, and security considerations.
OAuth 2.0 Authentication : Authentication Strategies for Modern Web Applications
A comprehensive implementation guide to OAuth 2.0 — covering authorization flows, OpenID Connect, implementing Google and GitHub login, token management, and enterprise SSO patterns.
JWT Authentication : Authentication Strategies for Modern Web Applications
A comprehensive implementation guide to JWT authentication — covering token structure, signing algorithms, access/refresh token patterns, middleware implementation, token revocation strategies, and security best practices.
Session-Based Authentication : Authentication Strategies for Modern Web Applications
A comprehensive implementation guide to session-based authentication — covering how sessions work under the hood, server-side storage strategies, cookie security, scaling with Redis, and production best practices.
Authentication Strategies for Modern Web Applications
A high-level comparison of modern authentication approaches — Session-based, JWT, OAuth 2.0, Passwordless, and MFA — covering when to use each, trade-offs, and real-world use cases.