Validate all input, authenticate and authorize every request, use HTTPS, implement rate limiting, and never trust client data.
Security must be built in from the start, not added as an afterthought.
Input validation is your first defense. Validate and sanitize everything from clients: request bodies, query parameters, headers. Use schema validation (Zod, Joi) to reject malformed input before it reaches your logic. Prevent SQL injection with parameterized queries, XSS by escaping output.
Authentication verifies who the user is. Use established solutions (OAuth, JWT) rather than rolling your own. Store passwords with bcrypt or Argon2, never plain text. Implement proper session management with secure, httpOnly cookies.
Authorization checks what users can do. Every endpoint should verify the user has permission for that action. Check ownership for resources—user A shouldn't access user B's data. Implement role-based or attribute-based access control for complex permissions.
HTTPS everywhere, no exceptions. Encrypt data in transit. Use HSTS headers to prevent downgrade attacks. In development, tools like mkcert create local certificates.
Rate limiting prevents brute force attacks. Stricter limits on sensitive endpoints (login, password reset). Implement account lockout after failed attempts.
Security headers (CORS, CSP, X-Frame-Options) prevent common attacks. Use helmet.js or similar to set them correctly.
Log security events (failed logins, access denied, unusual patterns) for monitoring and forensics. Never log sensitive data (passwords, tokens, full credit card numbers).
Validate all input, authenticate and authorize every request, use HTTPS, implement rate limiting, and never trust client data.
Join our network of elite AI-native engineers.