security

CSP is a strong defense-in-depth measure for XSS. Start with report-only to learn what breaks, then enforce. Keep it explicit and include nonces for inline scripts when needed.

For webhooks, I assume the internet is hostile by default. I don’t trust that a request ‘looks like’ it came from Stripe/GitHub/etc; I verify the signature over the raw request body and use crypto.timingSafeEqual to avoid leaking information via timin

For internal admin endpoints, I often add a network allowlist in addition to auth. The tricky part is deciding which IP to trust: if you’re behind a proxy, you might need X-Forwarded-For, but only if the proxy is controlled by you. The middleware belo

Database best practices ensure reliability and performance. I follow normalization principles—minimize redundancy. Use appropriate indexes—not too many, not too few. Implement constraints for data integrity. Choose correct data types for efficiency. R

The Keychain securely stores sensitive data like passwords and tokens, encrypting them at the OS level. Direct Keychain APIs are verbose, so I create a wrapper class that simplifies common operations. The wrapper uses Security framework's SecItemAdd,

Letting users paste rich content is a product requirement that can become a security nightmare. I never try to write my own sanitizer. Instead, I run HTML through DOMPurify using JSDOM on the server and keep the allowlist small (minimal tags + attribu

Certificate transparency monitoring is cheap detection for a surprisingly important risk. If a certificate appears for a domain you own and you did not expect it, that deserves immediate investigation. I like monitoring this externally so it still wor

While JWT works well for user authentication, service-to-service communication often uses simpler API key authentication. I generate cryptographically random API keys using SecureRandom.hex(32) and store them hashed in the database, similar to passwor

If you ever need to hand logs to support, you don’t want secrets in them. Filter params at the framework level; then add custom filters for app-specific fields (API keys, tokens).

net/http/pprof is incredibly useful during performance incidents, but it should never be open to the public internet. I register the pprof handlers on a separate mux and wrap them with Basic Auth (or, better, your real auth middleware). The important

Clients can lie about Content-Type, so for uploads I prefer sniffing the first bytes with http.DetectContentType. The safe flow is: open the multipart file, read a small prefix, detect type, then rewind (or re-open) before writing to disk or object st

Password reset workflows require careful security design to prevent account takeover. I generate time-limited, single-use tokens using Rails' signed_id feature which creates tamper-proof tokens without database storage. The token expires after a short