Structured Logging That Survives Production
How to make logs useful under real traffic: correlation IDs, JSON event shape, sampling rules, and PII redaction that does not depend on everyone remembering.
devobservabilitylogging
Posts tagged “security”
Tiny explainers grouped by topic. Spend less time Googling, more time building.
TLS / HTTPS: the parts that break in production
Cert chains, renewals, mTLS, HSTS, and handshake debugging, explained from the operator’s side.
devsecurityweb
CORS Explained Without Cargo Culting
What actually breaks in CORS, which headers matter, and the server configs that fix browser errors without accidentally opening your API.
devsecurityweb
Secrets Management That Survives Production
Env vars are only the beginning. This covers secret managers, rotation, least privilege, and delivery patterns that do not leak credentials across your stack.
devsecuritysecrets
CSRF Still Matters
CSRF never really left. Here’s how SameSite cookies, synchronizer tokens, custom headers, and Fetch Metadata fit together in modern apps.
devsecuritycsrf
RBAC vs ABAC vs ReBAC
Most teams do not need every authorization model. This shows where RBAC, ABAC, and ReBAC fit, and what gets painful later if you pick the wrong one.
devauthauthorization
Passkeys / WebAuthn in Practice
What shipping passkeys actually involves: registration, sign-in, recovery, account settings, and the RP ID/origin mistakes that break rollouts.
devauthpasskeys
Session Cookies vs JWTs vs PASETO
Three ways to carry auth state, three different tradeoffs. Here’s where session cookies, JWTs, and PASETO fit without stateless-auth cargo culting.
devauthsecurity
OAuth 2.1 & OpenID Connect for Builders
The auth stack most teams inherit, minus the jargon: code + PKCE, refresh tokens, ID tokens, and machine-to-machine flows that actually matter.
devauthoauth
Safe File Uploads — accept untrusted files without getting owned
A battle‑tested checklist and patterns: allowlists, size limits, magic‑byte checks, streaming to object storage, virus scanning, image/PDF sanitization, signed URLs, and safe download headers.
devsecurityweb
Security Headers Cheat Sheet — copy‑paste defaults that actually help
Practical, modern defaults for CSP, HSTS, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP, X-Content-Type-Options, X-Frame-Options vs frame-ancestors, cookies, and cache controls—with NGINX/Apache/Express snippets.
devsecurityweb
Rate Limiting Strategies — windows, buckets, and distributed guards
Fixed/sliding windows, token & leaky buckets, GCRA, and real-world implementations (Redis, NGINX, Envoy). Covers headers, bursts, backoff, multi‑DC, and tuning.
devapireliability
JWTs — Expiration, Rotation, and Revocation
Design access + refresh flows that are safe: short-lived access tokens, rotating refresh tokens with reuse detection, device-scoped sessions, and practical revocation strategies.
devsecurityauth
Dockerfile Best Practices — fast builds, small images, safer containers
Multi-stage builds, cache-friendly layering, non-root users, and sane defaults for ENTRYPOINT/CMD, healthchecks, and secrets. Copy‑paste patterns for Node, Python, and Go.
devcontainersdocker
Password Storage the Right Way — salts, peppers, and modern hashes
Use Argon2id (or bcrypt) with unique per‑user salts, optional KMS‑backed pepper, and safe on‑login migrations. Includes copy‑paste snippets for Node, Python, and Go.
devsecurityauth
The OAuth2 Flow, Decoded — roles, tokens, and the PKCE dance
A diagram-first walkthrough of OAuth 2’s Authorization Code + PKCE flow: who does what, how the redirects work, and where the tokens end up.
devsecurityoauth
Securely Managing Environment Variables (The Right Way)
Why you shouldn’t commit .env files, how to handle secrets differently in local, staging, and production, and the exact patterns to inject, validate, rotate, and audit configuration safely.
devsecuritysecrets
Base64 Encoding is Not Encryption — myth-busting what Base64 is actually for
Base64 turns bytes into ASCII text for transport and storage. It is not a security mechanism. Learn how it works, common uses (MIME, URLs, JWTs), and what to use instead when you need secrecy or integrity.
devsecurityencoding
Authentication vs. Authorization — what’s the difference and how they fit together
A clear, practical comparison: authN proves who you are; authZ decides what you can do. Learn identities, sessions/tokens (OIDC/OAuth2), roles/scopes/permissions, and common pitfalls.
devsecurityauth
When to Use an ENV File (and How to Use it Securely)
.env files are fine for some jobs and a liability for others. Here’s where they fit, where they don’t, and how to keep secrets out of repos and images.
devsecuritysecrets
SSH Keys, Minus the Mystery
Generate a key, load it into `ssh-agent`, add it to a server, and clean up your SSH config without the usual trial and error.
devsecurityssh
How SSL/TLS Works in 60 Seconds — the HTTPS handshake demystified
Demystify the TLS handshake—ClientHello, ServerHello, certificates, ECDHE key exchange, session keys—and why HTTPS protects confidentiality, integrity, and authenticity.
devwebhttp
What is an API Gateway? — and why you might need one
Where a gateway earns its keep, where a reverse proxy is enough, and why pushing business logic to the edge usually backfires.
devapigateway
Understanding CORS — a tiny explainer for stuck web devs
A fast primer on Cross-Origin Resource Sharing—what “origin” means, how simple vs. preflighted requests work, when to send credentials, and the exact headers that fix the dreaded CORS error.
devwebhttp
What is DMARC (and why you should care)
DMARC tells inboxes what to do when email fails SPF/DKIM checks — and sends you reports so you can fix issues.
emailsecurityca-duh
SPF vs DKIM — simple differences
SPF says who can send. DKIM signs the message. Use both for deliverability.
emailsecurityca-duh