security

GraphQL endpoints can be abused with huge queries that are expensive to parse and execute. Persisted queries let clients send a hash (e.g. sha256:...) instead of the full query, and the server only executes queries it recognizes. This reduces payload

Interceptors are the cleanest way to standardize cross-cutting behavior in gRPC. I use a unary interceptor to extract authorization from metadata, validate it, attach the principal to context.Context, and log the method name and duration. This keeps s

Session-based apps still need CSRF protection even when the API is ‘JSON’. I like the double-submit cookie approach: set a CSRF token cookie, require the client to echo it in x-csrf-token, and verify they match. The reason I prefer this is that it doe

Rate limiting prevents API abuse by restricting request frequency per user or IP. Laravel's RateLimiter facade defines limits in RouteServiceProvider. I apply limiters via middleware—throttle:api for the default API limiter. Custom limiters use closur

Database security protects data from unauthorized access. I use GRANT/REVOKE for permissions—SELECT, INSERT, UPDATE, DELETE. Role-based access control groups permissions. Row-level security filters data per user. Column-level security restricts sensit

BiometricPrompt provides secure authentication via fingerprint, face, or iris. I create BiometricPrompt with callback handling success, error, and failure. PromptInfo configures title, subtitle, description, and allowed authenticators. Negative button

Strong parameters prevent mass assignment vulnerabilities by explicitly permitting allowed attributes. For nested associations like a post with embedded images or comments, I use nested permit calls. Arrays of primitives use [] syntax, while hashes of

JWT auth is easy to get subtly wrong, especially around key rotation. Instead of hard-coding public keys, I fetch JWKS and cache it with a refresh interval so new signing keys are accepted quickly. I still validate iss and aud so tokens from other env

Redis should not be assumed safe just because it sits inside a VPC or private subnet. I enable authentication or ACLs, bind deliberately, and keep the service off public networks entirely. Fast infrastructure becomes dangerous infrastructure when team

OAuth flows are a minefield, and PKCE is the safe default for public clients. I generate a verifier, derive a challenge, store the verifier in a short-lived session, and then exchange the authorization code for tokens. The key detail is treating the v

CSRF is still relevant whenever browsers automatically attach credentials. I keep standard anti-forgery tokens on server-rendered forms and use same-site cookies plus explicit bearer tokens for SPA APIs. The key is matching the defense to the authenti

Most security issues aren’t exotic—they’re missing headers and unsafe defaults. helmet gives a sensible baseline: headers that reduce clickjacking risk, tighten content-type sniffing, and improve general browser hardening. I still configure CSP explic