07. Security & auth
Keeping bad actors out, keeping your users’ data safe, and proving who’s who. Covers authentication (who are you?), authorization (what can you do?), the OWASP top 10 (the most common attacks), and the day-to-day patterns that prevent them.
Entries
| # | Entry | Status | One-line description |
|---|---|---|---|
| 1 | Authentication vs authorization | 🟩 COMPLETE | ”Who you are” vs “what you can do” — the constant confusion |
| 2 | Passwords & hashing | 🟩 COMPLETE | Why you never store passwords directly — and what bcrypt/argon2 do |
| 3 | Sessions & cookies | 🟩 COMPLETE | The classic “you’re logged in” mechanism, demystified |
| 4 | JWT — JSON Web Tokens | 🟩 COMPLETE | Stateless, signed tokens that travel in headers |
| 5 | OAuth & social login | 🟩 COMPLETE | ”Sign in with Google” — the protocol behind it |
| 6 | Magic links & passwordless | 🟩 COMPLETE | Email-based login flows — pros, cons, gotchas |
| 7 | OWASP top 10 | 🟩 COMPLETE 🟦 LIVING | The most common web vulnerabilities, ranked by frequency |
| 8 | XSS — Cross-site scripting | 🟩 COMPLETE | When attacker JavaScript runs in another user’s browser |
| 9 | CSRF — Cross-site request forgery | 🟩 COMPLETE | Tricking a logged-in user’s browser into making requests |
| 10 | SQL injection | 🟩 COMPLETE | The classic — and how parameterized queries kill it dead |
| 11 | Secrets management | 🟩 COMPLETE | Where API keys live, how they leak, how to prevent it |
Suggested reading order
1 → 2 → 3 → 4 → 5 → 11 → 7 → 8 → 9 → 10. Start with what auth actually is, then learn what NOT to do.
See also
- 04. Databases — Row-Level Security
- 03. Backend — most security logic lives server-side
- Gotchas — Auth