Kai Nakamura

I use a review checklist to make sure basic controls are present before a service ships: auth, logging, secrets, dependency scanning, backups, and least privilege. Checklists do not replace expertise, but they prevent avoidable omissions. The best one

Artifact signing gives downstream systems something concrete to verify before deployment. I use cosign because it keeps container and provenance signing practical in CI. Supply chain controls only matter if verification is automated where release deci

Email remains a major impersonation surface, so I want domain alignment controls in place even for engineering-led products. SPF alone is not enough, and DMARC without a rollout plan creates confusion. Monitoring mode first, then enforcement, is usual

The first hour of an incident should be structured enough that teams do not invent process under pressure. I keep severity definitions, communication paths, and containment priorities explicit. A good checklist reduces panic and preserves evidence at

I like CSP reporting because it reveals both rollout mistakes and active attack attempts. The endpoint should accept reports quietly, avoid noisy validation failure loops, and forward the data into normal observability systems. Reporting without triag

Password reset endpoints should reveal as little as possible about account existence. I return the same response for known and unknown emails, store only token digests, and invalidate tokens after first use. Small response details here prevent large i

Certificate pinning is useful in high-risk mobile scenarios, but it has real operational cost. I use it selectively, plan backup pins, and make sure the team can rotate infrastructure without bricking clients. Security controls that ignore operational

Client-side cookies should be treated as attacker-controlled even when the framework signs them. I use encrypted cookies for sensitive state, keep payloads minimal, and avoid long-lived authorization decisions inside the browser. The convenience of co

Database hardening starts with connection control and role hygiene. I separate app, migration, reporting, and admin roles so compromise impact is constrained. The default question is not what permissions are convenient, but which ones are actually nec

Redis should not be assumed safe just because it sits inside a VPC or private subnet. I enable authentication or ACLs, bind deliberately, and keep the service off public networks entirely. Fast infrastructure becomes dangerous infrastructure when team

CORS is not an authentication control, but bad CORS settings still widen attack surface unnecessarily. I allow exact origins, restrict methods and headers, and avoid wildcard credentials combinations entirely. If the front-end origin list is unclear,

A webhook endpoint is an internet-facing parser plus an authentication problem. I verify signatures, enforce recent timestamps, and store event IDs to block replay attempts. Reliability matters too, so handlers should be idempotent and fast to acknowl