Core Code
Core Code Modern Dev Handbook
APPLICATION-SECURITY Contents
Security Foundations for Production Apps
Threat Modeling (Practical, Repeatable) OWASP Top 10 (Operator Lens) Defense in Depth (Layered Controls That Hold) Security Baselines and Checklists (What “Good” Looks Like) Secrets in Apps (Storage, Injection, Rotation) Logging Sensitive Data (Pitfalls and Redaction) Rate Limiting Patterns (Abuse and Resilience) Abuse Prevention (Bots, Fraud, Enumeration) HTTPS & TLS Realities (HSTS, Termination, Cert Ops) Secure Headers Baseline (Production Defaults)
Identity, Authentication, and Sessions
Sessions vs JWT (Production Tradeoffs) JWT Attack Patterns and Validation Pitfalls Password Hashing Ops (bcrypt/argon2 Parameters) OAuth2 Flows in Practice (Auth Code + PKCE) OIDC Internals (Discovery, JWKS, Claims) Token Revocation Strategies (What Actually Works) Refresh Token Abuse and Rotation Defenses API Key Management (Issuance, Rotation, Scoping) mTLS Basics (Service-to-Service Identity) Identity Boundary Design (Trust Zones)
Web Attacks and Practical Defenses
XSS in Production (Exploit Paths and CSP Hardening) CSRF (SameSite Reality vs Token Defenses) SSRF (Cloud Metadata Abuse and Egress Controls) Clickjacking (Frame Controls and UI Redress) SQL Injection (Production Defense Patterns) CORS Misconfigurations (Real-World Impact) CSP Practical Recipes (Deployable Policies) Secure Cookie Patterns (HttpOnly, Secure, SameSite) Request Validation Patterns (What to Validate Where) File Upload Hardening (Content Sniffing, AV, Storage)
Secure Delivery, Hardening, and Incident Response
Secure SDLC (Gates That Don’t Kill Delivery) Dependency Risks (Vulns, Updates, Policies) App Supply Chain (Lockfiles, Pinning, Review) Configuration Hardening (Safe Defaults Checklist) Security Monitoring Signals (Auth, Data, Network) Security Alert Design (Noise, Triage, Escalation) WAF Realities (What It Stops and What It Doesn’t) Credential Leak Runbook (Keys, Tokens, Passwords) Compromised Token Runbook (JWT/OAuth Sessions) Security Incident Response (Contain, Eradicate, Recover)

Abuse Prevention (Bots, Fraud, Enumeration)

Stop common abuse: enumeration, scraping, credential stuffing, and replay. Focus on detection signals and operational mitigations.
On this page

Common Abuse Patterns

  • Credential stuffing: many logins across many accounts
  • Enumeration: probing user existence via error differences
  • Scraping: high-volume reads and search abuse
  • Replay: resubmitting requests/webhooks to duplicate effects

Baseline Mitigations

  • Consistent error messages to reduce enumeration
  • Rate limit + progressive delays on auth flows
  • Idempotency keys for write operations
  • Device/session risk scoring for repeated failures
  • Captcha only as a last resort and only on high-risk flows

Detection Signals (Log What Matters)

Signals:
- auth.fail.count per ip and per user
- signup/reset attempts per ip
- 404/401/403 spikes
- repeated identical request payloads (replay)
- unusual user-agent churn

Replay Protection (Idempotency)

Write endpoint:
- Require Idempotency-Key header
- Store key + request hash + result for TTL
- If key seen: return stored result, do not re-execute

Operational Runbook

If abuse detected:
1) Enable stricter rate limits on affected routes
2) Block high-risk IP ranges (temporary) and monitor false positives
3) Turn on additional verification for targeted accounts
4) Investigate leaked credentials, rotate tokens/keys if needed
5) Add regression tests and alerts for the pattern
HTTPS & TLS Realities (HSTS, Termination, Cert Ops) →