07. Security & auth

Keeping bad actors out, keeping your users’ data safe, and proving who’s who. Covers authentication (who are you?), authorization (what can you do?), the OWASP top 10 (the most common attacks), and the day-to-day patterns that prevent them.


Entries

#EntryStatusOne-line description
1Authentication vs authorization🟩 COMPLETE”Who you are” vs “what you can do” — the constant confusion
2Passwords & hashing🟩 COMPLETEWhy you never store passwords directly — and what bcrypt/argon2 do
3Sessions & cookies🟩 COMPLETEThe classic “you’re logged in” mechanism, demystified
4JWT — JSON Web Tokens🟩 COMPLETEStateless, signed tokens that travel in headers
5OAuth & social login🟩 COMPLETE”Sign in with Google” — the protocol behind it
6Magic links & passwordless🟩 COMPLETEEmail-based login flows — pros, cons, gotchas
7OWASP top 10🟩 COMPLETE 🟦 LIVINGThe most common web vulnerabilities, ranked by frequency
8XSS — Cross-site scripting🟩 COMPLETEWhen attacker JavaScript runs in another user’s browser
9CSRF — Cross-site request forgery🟩 COMPLETETricking a logged-in user’s browser into making requests
10SQL injection🟩 COMPLETEThe classic — and how parameterized queries kill it dead
11Secrets management🟩 COMPLETEWhere API keys live, how they leak, how to prevent it

Suggested reading order

1 → 2 → 3 → 4 → 5 → 11 → 7 → 8 → 9 → 10. Start with what auth actually is, then learn what NOT to do.

See also

11 items under this folder.