Kai Nakamura

CSP design is about reducing script execution freedom without breaking the app. I prefer nonces over unsafe-inline, keep the allowed source list tight, and roll policies out in report-only mode first. That gives teams a workable path from permissive f

Predictable tokens become account compromise. I use cryptographically secure randomness, store only token digests when possible, and keep token purpose and expiry specific. Reset tokens, magic links, and API secrets should all be treated like credenti

XML is still a problem when parsers are left in permissive mode. I disable external entities, refuse network fetches, and prefer simpler formats unless XML is required by an external integration. Attackers love parser defaults that nobody revisited af

SSRF defense requires more than banning localhost. I parse URLs with a real library, enforce scheme and host allowlists, resolve and reject private IP ranges, and pair app-level checks with network egress rules. If an attacker can turn your server int

Any endpoint that reads from disk needs path normalization and strict base-directory enforcement. I never trust user-supplied file names and I avoid passing them straight into shell commands. Safe file access is mostly about refusing to be clever.

File uploads are attacker-controlled input with extra surface area. I validate extension and MIME type, rename everything server side, scan risky formats, and keep user uploads out of executable paths. If the business allows arbitrary uploads, storage

I validate input at trust boundaries, not halfway through business logic. Explicit schemas force decisions about allowed types, lengths, enums, and nested structure. That keeps weird payloads from becoming security bugs and makes error behavior much e

Rate limiting is both a security control and an availability control. I use it to slow credential stuffing, login brute force, and noisy scraping without punishing normal use. The trick is keying limits on the right dimensions and emitting metrics so

For browser and mobile clients, PKCE closes an important hole in the classic authorization code flow. I use it by default with public clients, require exact redirect URI matching, and keep token exchange on TLS only. This is one of those cases where t

JWTs are easy to misuse because libraries make them look simpler than they are. I pin the algorithm, validate issuer and audience, keep expirations short, and rotate signing keys deliberately. I also avoid putting sensitive business data into tokens j

Passwords should never be encrypted for later recovery. I store slow one-way hashes, tune work factors for current hardware, and maintain a rehash path when users log in with older credentials. Argon2id is my first choice for new systems, while bcrypt

CSRF is still relevant whenever browsers automatically attach credentials. I keep standard anti-forgery tokens on server-rendered forms and use same-site cookies plus explicit bearer tokens for SPA APIs. The key is matching the defense to the authenti