CORS Explained Without Cargo Culting
A practical guide to CORS for builders: origins, preflights, credentials, common browser errors, and the server configs that actually fix them without opening your API to the world.
devsecurityweb
Posts tagged “security”
Tiny explainers grouped by topic. Spend less time Googling, more time building.
Secrets Management 101
A practical guide to env vars, secret managers, rotation, and least privilege — with delivery patterns for web apps, workers, CI/CD, and Kubernetes.
devsecuritysecrets
CSRF Still Matters
A practical guide to CSRF protection in modern apps: SameSite cookies, synchronizer tokens, custom headers, Fetch Metadata, and the CORS mistakes that quietly reopen old holes.
devsecuritycsrf
RBAC vs ABAC vs ReBAC
A practical guide to choosing role-based, attribute-based, or relationship-based authorization for real products, with examples for SaaS apps, internal tools, B2B org models, and shared resources.
devauthauthorization
Passkeys / WebAuthn in Practice
A practical guide to shipping passkeys with WebAuthn: registration, sign-in, recovery, account settings, and the RP ID/origin gotchas that usually break rollouts.
devauthpasskeys
Session Cookies vs JWTs vs PASETO
A practical guide to choosing session cookies, JWTs, or PASETO for web apps, SPAs, mobile apps, and APIs without cargo-culting stateless auth.
devauthsecurity
OAuth 2.1 & OpenID Connect, Explained for Builders
A practical guide to OAuth 2.1 and OpenID Connect for real apps: authorization code + PKCE, refresh tokens, ID tokens, and machine-to-machine flows without the usual auth confusion.
devauthoauth
Safe File Uploads — accept untrusted files without getting owned
A battle‑tested checklist and patterns: allowlists, size limits, magic‑byte checks, streaming to object storage, virus scanning, image/PDF sanitization, signed URLs, and safe download headers.
devsecurityweb
Security Headers Cheat Sheet — copy‑paste defaults that actually help
Practical, modern defaults for CSP, HSTS, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP, X-Content-Type-Options, X-Frame-Options vs frame-ancestors, cookies, and cache controls—with NGINX/Apache/Express snippets.
devsecurityweb
Rate Limiting Strategies — windows, buckets, and distributed guards
Fixed/sliding windows, token & leaky buckets, GCRA, and real-world implementations (Redis, NGINX, Envoy). Covers headers, bursts, backoff, multi‑DC, and tuning.
devapireliability
JWTs — Expiration, Rotation, and Revocation
Design access + refresh flows that are safe: short-lived access tokens, rotating refresh tokens with reuse detection, device-scoped sessions, and practical revocation strategies.
devsecurityauth
Dockerfile Best Practices — fast builds, small images, safer containers
Multi-stage builds, cache-friendly layering, non-root users, and sane defaults for ENTRYPOINT/CMD, healthchecks, and secrets. Copy‑paste patterns for Node, Python, and Go.
devcontainersdocker
Password Storage the Right Way — salts, peppers, and modern hashes
Use Argon2id (or bcrypt) with unique per‑user salts, optional KMS‑backed pepper, and safe on‑login migrations. Includes copy‑paste snippets for Node, Python, and Go.
devsecurityauth
The OAuth2 Flow, Decoded — roles, tokens, and the PKCE dance
A simple, diagram-first walkthrough of OAuth 2’s Authorization Code + PKCE flow—who does what (client, resource owner, authorization server, resource server), how the redirects work, and where tokens live.
devsecurityoauth
Securely Managing Environment Variables (The Right Way)
Why you shouldn’t commit .env files, how to handle secrets differently in local, staging, and production, and the exact patterns to inject, validate, rotate, and audit configuration safely.
devsecuritysecrets
Base64 Encoding is Not Encryption — myth-busting what Base64 is actually for
Base64 turns bytes into ASCII text for transport and storage. It is not a security mechanism. Learn how it works, common uses (MIME, URLs, JWTs), and what to use instead when you need secrecy or integrity.
devsecurityencoding
Authentication vs. Authorization — what’s the difference and how they fit together
A clear, practical comparison: authN proves who you are; authZ decides what you can do. Learn identities, sessions/tokens (OIDC/OAuth2), roles/scopes/permissions, and common pitfalls.
devsecurityauth
When to Use an ENV File (and How to Use it Securely)
A practical guide to environment variables—when .env files make sense, how to load them locally, and how to keep secrets out of your repo and images.
devsecuritysecrets
A Simple Guide to SSH Keys — generate & use keys for secure server access
Step-by-step: create an SSH key, add it to a server, use ssh-agent, set up ~/.ssh/config, and harden your SSH settings. Works on macOS, Linux, and Windows.
devsecurityssh
How SSL/TLS Works in 60 Seconds — the HTTPS handshake demystified
Demystify the TLS handshake—ClientHello, ServerHello, certificates, ECDHE key exchange, session keys—and why HTTPS protects confidentiality, integrity, and authenticity.
devwebhttp
What is an API Gateway? — and why you might need one
A simple explainer of API gateways—how they centralize auth, rate limiting, routing, and observability—and when to adopt one versus calling services directly.
devapigateway
Understanding CORS — a tiny explainer for stuck web devs
A fast primer on Cross-Origin Resource Sharing—what “origin” means, how simple vs. preflighted requests work, when to send credentials, and the exact headers that fix the dreaded CORS error.
devwebhttp
What is DMARC (and why you should care)
DMARC tells inboxes what to do when email fails SPF/DKIM checks — and sends you reports so you can fix issues.
emailsecurityca-duh
SPF vs DKIM — simple differences
SPF says who can send. DKIM signs the message. Use both for deliverability.
emailsecurityca-duh