security

Optimized Docker images reduce build time, storage, and attack surface. Alpine-based images start at 5MB versus 100MB+ for Debian. Multi-stage builds separate build tools from runtime—final image contains only production artifacts. Layer ordering matt

EncryptedSharedPreferences secures simple key-value data using Android Keystore. I create instances with EncryptedSharedPreferences.create() specifying encryption schemes. The master key uses MasterKeys or MasterKey.Builder for automatic key generatio

When a session expires, Turbo requests can start returning 401/302 and the UI gets confusing. Handle unauthorized turbo requests explicitly: return a stream that updates a “session expired” banner or triggers a redirect.

Bcrypt is fine, but Argon2 is the modern default with better resistance to GPU attacks. I store the full hash string (it includes parameters + salt) and keep verification in one utility so the rest of the app doesn’t grow its own auth helpers. The imp

A single abusive client can ruin your latency budget for everyone else, so I rate limit early rather than trying to ‘detect abuse’ after the outage starts. I combine an IP bucket with a user bucket: IP protects unauthenticated endpoints, user protects

Audit logs provide accountability and forensic capabilities for sensitive operations like permission changes, data deletion, or financial transactions. I store audit events in a dedicated table with who performed the action, what changed, when it occu

Stateless authentication with JWT tokens simplifies horizontal scaling but introduces security concerns around token lifetime and revocation. I use short-lived access tokens (15 minutes) combined with longer-lived refresh tokens stored in an encrypted

Turbo’s page cache is great until you have sensitive screens (account settings, billing) where the browser back button might show stale content. I handle this by setting cache-control headers and, for specific actions, disabling Turbo caching via turb

I like setting baseline browser hardening headers at the proxy so every app behind it benefits. HSTS, clickjacking protection, MIME sniffing prevention, and sane referrer policy are cheap wins. The only caveat is making sure the settings match real de

Logs are one of the most common unintentional data exfiltration channels. I filter secrets, tokens, and PII before they leave the process, then I keep retention and access tight downstream. If your logs are rich enough to reconstruct private sessions,

Protecting routes at the middleware layer prevents a whole class of ‘oops, we forgot to check auth on one page’ bugs. middleware.ts runs before rendering, so unauthenticated users get redirected early and you don’t waste work. I keep the logic simple:

Environment variables configure applications without code changes. The twelve-factor app methodology stores config in the environment. .env files provide local defaults—never commit them to Git. dotenv libraries load .env files in development. Product